Malware Analysis Report

2025-01-23 06:49

Sample ID 241105-gqr9cswcmc
Target dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945
SHA256 dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945

Threat Level: Known bad

The file dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Detects Healer an antivirus disabler dropper

Redline family

RedLine

RedLine payload

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 06:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 06:00

Reported

2024-11-05 06:03

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe
PID 1460 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe
PID 1460 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe
PID 2088 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe
PID 2088 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe
PID 2088 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe
PID 2088 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe
PID 2088 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe
PID 4968 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe C:\Windows\Temp\1.exe
PID 4968 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe C:\Windows\Temp\1.exe
PID 4968 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe C:\Windows\Temp\1.exe
PID 1460 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe
PID 1460 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe
PID 1460 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe

"C:\Users\Admin\AppData\Local\Temp\dba466c9ad7150f00c68896332da6af0364641c1693668db9159405042ec4945.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieE4815.exe

MD5 97608d80760bbeac6d014c424b62aacd
SHA1 a24e4848abc669e5600ba90f946dae5c6aa6bd26
SHA256 7f53e3cd183e76a48cc61b4fbf3bcda089a5074944ca07bf4025a4d55228726d
SHA512 57f070cf78ae1ec9395240fb44d79a6b51fbff928f8ebe1ec95bbe4a63156f14992f3c1c87fa6284ad4daa38b204bb8c5292d4fca6099057a957d0fd4dfad81b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960422.exe

MD5 3bccd804c1bd6f719ca5e8a46222d054
SHA1 dcc669aa8a072aef141ee3330557adae5c77df62
SHA256 3d7077875bcaf79becf7780c2372da7e788c858b0788758047a1db6927ba465d
SHA512 d7d9b28e976985226654a781eb83c9bcc97f66d8a61700e6e8e07aee00fbf66c405ecc19eb6ced396410c77b0936eb3a10d5ce762205503088f97f2e4c4e301c

memory/1108-14-0x00007FFF15E33000-0x00007FFF15E35000-memory.dmp

memory/1108-15-0x0000000000830000-0x000000000083A000-memory.dmp

memory/1108-16-0x00007FFF15E33000-0x00007FFF15E35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku061743.exe

MD5 e4dc92de76b9a55d23a12af93cf7909e
SHA1 e2362419d6fa5fce9c1fbced42e119d43a712057
SHA256 a3efc6281484fa097641a4f4f726b8c5c465d4face4c3eb26daff510d35f3b0d
SHA512 9c60b8a38c4be3a2fbd53a2f404b62d3511c273f012d464b777dc1ebd0892b8c082e13295bcc2d161f3730b821159690eda1226ec8660c865ed6310777e31316

memory/4968-22-0x0000000004AD0000-0x0000000004B36000-memory.dmp

memory/4968-23-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/4968-24-0x0000000005250000-0x00000000052B6000-memory.dmp

memory/4968-40-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-88-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-86-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-84-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-82-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-80-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-78-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-76-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-74-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-72-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-70-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-68-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-66-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-60-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-59-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-56-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-54-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-52-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-48-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-46-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-44-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-42-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-38-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-36-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-34-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-32-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-30-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-28-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-65-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-62-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-26-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-50-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-25-0x0000000005250000-0x00000000052AF000-memory.dmp

memory/4968-2105-0x0000000005420000-0x0000000005452000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3296-2118-0x0000000000340000-0x0000000000370000-memory.dmp

memory/3296-2119-0x0000000004B60000-0x0000000004B66000-memory.dmp

memory/3296-2120-0x00000000052C0000-0x00000000058D8000-memory.dmp

memory/3296-2121-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

memory/3296-2122-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/3296-2123-0x0000000004D20000-0x0000000004D5C000-memory.dmp

memory/3296-2124-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr973479.exe

MD5 b53b1f43a697e255b2c069845aea5c3b
SHA1 916233aaa19f63acb908995be96c49077deec8ce
SHA256 75ab7d02106a131d2a12ab60bccb396545f6f2234d24ff87d4e910341fa743ef
SHA512 354a1ff19183f0e6dc964ff0c1211af1bbb8476cc195e776dfe2c792b6fcd46e31e307aa22d96938d30dac82d575b3dbd36d6cbe95854a40a831be0be02f46ab

memory/4552-2129-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

memory/4552-2130-0x0000000003070000-0x0000000003076000-memory.dmp