Malware Analysis Report

2025-01-23 06:43

Sample ID 241105-kcmcqszqgj
Target edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36
SHA256 edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36

Threat Level: Known bad

The file edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

RedLine

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 08:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 08:27

Reported

2024-11-05 08:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe
PID 4288 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe
PID 4288 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe
PID 3060 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe
PID 3060 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe
PID 3060 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe
PID 3060 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe
PID 3060 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe
PID 3904 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe C:\Windows\Temp\1.exe
PID 3904 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe C:\Windows\Temp\1.exe
PID 3904 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe C:\Windows\Temp\1.exe
PID 4288 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe
PID 4288 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe
PID 4288 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe

Processes

C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe

"C:\Users\Admin\AppData\Local\Temp\edc2b3d2b8190ed4ae170e8e7f10805576cfade3ff2e3fa4f9d2e52dd337db36.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2814.exe

MD5 3e831d286b8841e3a21e8c6799d3078c
SHA1 125bafdd16d9dee895b8d555c866bc2a5659c1da
SHA256 36e4cbbce592f576571affa38beb9d3ec16a12640b50801e0e840d0545f88c6d
SHA512 4b25924835d02a829ff4d231a0de3c261b4494c2c9549ff0fdbbef0d2ffb3e84da693d390b8385355b21b4ddb85a59522453f975ebbd54cbb5ea376f5e5778ae

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr401018.exe

MD5 9c52a6216e58a9a41a33b32675da1951
SHA1 7f062ebec15031e1d10aff421a480d8fb8eff492
SHA256 88c1ea51e3fc1ac449b7119df4f5b5d58fedcf1c026f38413ca93c92215610f0
SHA512 fccfbc761f48d8c8aa8ff7db520f9563d26eb7220a9ddb5b37971432e5025d67e43f87e64e925eeb35368f1876dbe2b21acaf9a03db4b370aafc2a8e24485607

memory/4716-14-0x00007FFCECE03000-0x00007FFCECE05000-memory.dmp

memory/4716-15-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/4716-16-0x00007FFCECE03000-0x00007FFCECE05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189469.exe

MD5 256b715ad983fb1a1ceaa4612d86aad5
SHA1 1d4e7e415eb1e1690656f152e247a81bac4a6d50
SHA256 498c95af712b59fd0b5d23ea187e800519707e21272136879b3067d21d273a98
SHA512 87564d10480f9287d8e2a2336dc1737e4d98b596b2b0912ea8fdf9a93a65389c86c7a36ac00462daa417d37c27035ad6575bc9539ecaa6ff1cb1326e2c241f06

memory/3904-22-0x0000000004BE0000-0x0000000004C46000-memory.dmp

memory/3904-23-0x0000000004DA0000-0x0000000005344000-memory.dmp

memory/3904-24-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/3904-38-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-40-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-88-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-86-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-84-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-82-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-80-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-76-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-74-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-72-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-70-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-68-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-66-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-64-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-62-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-60-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-56-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-54-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-52-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-50-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-48-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-46-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-44-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-42-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-36-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-34-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-32-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-30-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-28-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-78-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-58-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-26-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-25-0x0000000005350000-0x00000000053AF000-memory.dmp

memory/3904-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5940-2118-0x00000000008B0000-0x00000000008E0000-memory.dmp

memory/5940-2119-0x0000000001150000-0x0000000001156000-memory.dmp

memory/5940-2120-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/5940-2121-0x0000000005360000-0x000000000546A000-memory.dmp

memory/5940-2122-0x0000000005250000-0x0000000005262000-memory.dmp

memory/5940-2123-0x00000000052B0000-0x00000000052EC000-memory.dmp

memory/5940-2124-0x00000000052F0000-0x000000000533C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr815678.exe

MD5 ebfceda3cb77c48976a6a29d8150a457
SHA1 8b768da3b5bd15693909e631c88248774efe0c73
SHA256 d81e278145a2030578974ca0616df838e6b3beeeb9de38d98cd160290fe08bb1
SHA512 79215a6f571231ca4050798340f6dcad0e9cfd5ea49c7a4b5e602bb312e71359912b2d3da7451678dd736a718500362ab79ef91d50a10aa7fa78c0692bc4197a

memory/4196-2129-0x0000000000980000-0x00000000009B0000-memory.dmp

memory/4196-2130-0x0000000001280000-0x0000000001286000-memory.dmp