Malware Analysis Report

2025-01-23 06:49

Sample ID 241105-j422tsxjey
Target b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a
SHA256 b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a

Threat Level: Known bad

The file b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Redline family

Healer family

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 08:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 08:14

Reported

2024-11-05 08:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe
PID 4656 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe
PID 4656 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe
PID 32 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe
PID 32 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe
PID 32 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe
PID 32 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe
PID 32 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe
PID 4128 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe C:\Windows\Temp\1.exe
PID 4128 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe C:\Windows\Temp\1.exe
PID 4128 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe C:\Windows\Temp\1.exe
PID 4656 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe
PID 4656 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe
PID 4656 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe

"C:\Users\Admin\AppData\Local\Temp\b9d12c73d67985ac70e9e00322e2773172a0cf7933f1967d52fb833fe732107a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAg8616.exe

MD5 2259687275ae5d82ab3dcbda69a700d2
SHA1 6cc06f5c66c6bb0963fca5e715bd9d2b7d240d10
SHA256 237614f1878ba0aa76b18e39d7853c33c1e4ec37abdeaab2bc15b78c087a308c
SHA512 27341d5477d8a6fe0fbf4acff55ac3835b79f857b4ef2c4dc82ff405917b6128d1e4688f291dee8448f60645fe91990bef36feab723e5c97a593239df22fe3e4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr032302.exe

MD5 532d4216ffd2e72532eae061aa603d06
SHA1 62d5fb3e70de998e7f1eade93538ab5eeb18ddee
SHA256 7fae895c09eea147c0f63a879609347813f862f0f5e00b3189fb1c1bd1edfe58
SHA512 74876f8c0f912a5474c4178602124dfe57109722069ad1c1327e94445281f54610ebb24fe913095bd6466173aefa34daa8cdf234a2e5d0007ef663944715d2cb

memory/264-14-0x00007FF867D53000-0x00007FF867D55000-memory.dmp

memory/264-15-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/264-16-0x00007FF867D53000-0x00007FF867D55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku848562.exe

MD5 b5dee4b329a334bd4e9781bd141202d7
SHA1 42ec33574619108b6dd2b996a82a42a65a51c072
SHA256 9e394fa81e3ca247fac9ccd03eb7b21f4a3d1022bff2dc837d23fcb52a54712a
SHA512 a402ac7be35b3b5f32abdbc8bf4d5f844ced5d0e89a6cc1b0004bfaccdf0db87b9d86cb945d40268c9faad8d5c1bddb29c30a28bbe6a4a8a9584622e6dfaeb6f

memory/4128-22-0x00000000024F0000-0x0000000002556000-memory.dmp

memory/4128-23-0x0000000004F30000-0x00000000054D4000-memory.dmp

memory/4128-24-0x0000000002680000-0x00000000026E6000-memory.dmp

memory/4128-26-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-40-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-86-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-84-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-82-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-81-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-78-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-76-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-74-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-72-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-70-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-68-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-66-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-62-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-60-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-58-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-56-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-54-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-52-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-50-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-48-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-46-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-44-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-38-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-36-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-34-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-32-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-30-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-28-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-88-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-64-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-42-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-25-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4128-2105-0x00000000027D0000-0x0000000002802000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4880-2118-0x0000000000D20000-0x0000000000D50000-memory.dmp

memory/4880-2119-0x0000000002F30000-0x0000000002F36000-memory.dmp

memory/4880-2120-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/4880-2121-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/4880-2122-0x00000000056B0000-0x00000000056C2000-memory.dmp

memory/4880-2123-0x0000000005710000-0x000000000574C000-memory.dmp

memory/4880-2124-0x0000000005750000-0x000000000579C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr251218.exe

MD5 78f75feda3c9437bd80e0e20db566e2b
SHA1 54b5dd52a371996ed8116576f51ccff19a335241
SHA256 0d01f6b8a53ed9859f07ca99119df9301913ccc70270f22d0302b6f5fb365c50
SHA512 1971c6726fc362a0e8e28c02d1dab725c671ba3c7be385168011b1cb434fb193325e251d02559c4f1e40f9e7f4980779ee32f1cc1406af47573578b6d2da4eb4

memory/5548-2129-0x0000000000500000-0x0000000000530000-memory.dmp

memory/5548-2130-0x0000000004D20000-0x0000000004D26000-memory.dmp