Malware Analysis Report

2025-01-23 06:48

Sample ID 241105-maqcqa1rfk
Target ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7
SHA256 ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7

Threat Level: Known bad

The file ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

RedLine

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 10:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 10:15

Reported

2024-11-05 10:18

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe
PID 3200 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe
PID 3200 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe
PID 2248 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe
PID 2248 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe
PID 2248 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe
PID 976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe C:\Windows\Temp\1.exe
PID 976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe C:\Windows\Temp\1.exe
PID 976 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe C:\Windows\Temp\1.exe
PID 3200 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe
PID 3200 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe
PID 3200 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe

"C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 976 -ip 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe

MD5 667a2a94999d2cd8b6d54811aa7faccd
SHA1 1bb13040b0928086190a4a09bb5a03ac3facdd21
SHA256 2558e169e6987c0ab4f34e2d9757d50a26e61c26123849823015e634b9580a1d
SHA512 a4211cf7d692710cc41e9f874262de5121ca0eeeb8e98dccfd6bde7fa84d86dc6a9f57e34618a522a13e5b4e65c78e7645a35edd4abb905f13e65aaf5bda6d7a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe

MD5 9eb3ae5c26191ad3573cbfaaf7dcca69
SHA1 96a16c3eef1503917a2641251cc04d2b98d4fd78
SHA256 972e2d58bb8bf6d37f4b1ba8137328e43715c46e6d46aab55faca7583714b80f
SHA512 c307d56ccaf51d2b2567671269f4f3f922fe08ea13f4af523a9091c1d7522b884d271fe4bf0a430167884f0cdfbf9f433379da25e2a3da8a9224bd26019a15af

memory/2764-14-0x00007FF8BDEF3000-0x00007FF8BDEF5000-memory.dmp

memory/2764-15-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

memory/2764-16-0x00007FF8BDEF3000-0x00007FF8BDEF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe

MD5 b876950c298c1444018cc05a55669788
SHA1 002904ac99b8f64c9b51ab98ec4bbafc63d21aae
SHA256 c6e2161532b7a9ddbdb47bfad69436667c85cc5f988deb57640a8c68bb3ebdf1
SHA512 e9950891dd329ba6111526dab186f7d069dff8becfffe057d1ccc8fea9178c09b33f5c3d2dd6030115c3ad901fd1c0949eff48565d9b3273ec472dae37c1ee0c

memory/976-22-0x0000000002410000-0x0000000002476000-memory.dmp

memory/976-23-0x0000000004C80000-0x0000000005224000-memory.dmp

memory/976-24-0x0000000004AF0000-0x0000000004B56000-memory.dmp

memory/976-60-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-62-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-88-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-86-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-82-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-80-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-78-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-76-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-70-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-68-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-66-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-64-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-58-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-56-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-54-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-52-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-50-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-48-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-46-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-42-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-40-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-38-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-36-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-34-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-32-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-31-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-28-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-84-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-74-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-72-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-44-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-26-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-25-0x0000000004AF0000-0x0000000004B4F000-memory.dmp

memory/976-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/2636-2118-0x0000000000AB0000-0x0000000000AE0000-memory.dmp

memory/2636-2119-0x00000000012F0000-0x00000000012F6000-memory.dmp

memory/2636-2120-0x0000000005A40000-0x0000000006058000-memory.dmp

memory/2636-2121-0x0000000005530000-0x000000000563A000-memory.dmp

memory/2636-2122-0x0000000005440000-0x0000000005452000-memory.dmp

memory/2636-2123-0x00000000054A0000-0x00000000054DC000-memory.dmp

memory/2636-2124-0x00000000054E0000-0x000000000552C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe

MD5 f66557bfc086d58caeaae8ff7427e860
SHA1 7793733df47192e161acfdfaa73175d468d28059
SHA256 264b439c5406abfde99054f9c032c10e308503becef0d63f6629a1c308bf5daa
SHA512 1fa6f58aee41623ab6f3c4f2f6726fdc44f8eda66a22d3ae7a5b556b27260e719cf194978febc2816897a2d44a88f2c24f94a1d991efce17347b173824a62cf7

memory/5172-2129-0x0000000000660000-0x0000000000690000-memory.dmp

memory/5172-2130-0x00000000010A0000-0x00000000010A6000-memory.dmp