Malware Analysis Report

2025-01-23 06:44

Sample ID 241105-tkvhratfrg
Target 0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd
SHA256 0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd

Threat Level: Known bad

The file 0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 16:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 16:07

Reported

2024-11-05 16:10

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe
PID 4368 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe
PID 4368 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe
PID 2500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe
PID 2500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe
PID 2500 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe
PID 2500 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe
PID 2500 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe
PID 4744 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe C:\Windows\Temp\1.exe
PID 4744 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe C:\Windows\Temp\1.exe
PID 4744 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe C:\Windows\Temp\1.exe
PID 4368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe
PID 4368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe
PID 4368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe

"C:\Users\Admin\AppData\Local\Temp\0ed7abf2fca30a23aebd09b15a3fbf47d544923fc71f69ee1e5e16de46833bbd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBf1516.exe

MD5 12d1d04ae44efc38fd59b5cf957b57d7
SHA1 e0c1fa5c347702b89aa70f7e6ded2b274a58f4d7
SHA256 8dc9a818238562af13784e5f23a8ad5a9755984296d680c7592d02c52d5acb92
SHA512 a77a30f8475d80fc5ad2b8bed0996dc6ab84a9551dd1b4790e0add46cdc30a93ee83650a11fc85b09a59cf933b4310a100d0719b206604fead4267322bc22b8d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr920578.exe

MD5 83ad0f8b3a425a59975fa280cf1050f3
SHA1 9fb2abaac818738692e93397bb7fc72bc203a9b5
SHA256 3427284163d7c85935099aa7af2b58bdb398d463a757c3baa67b60b6283b097d
SHA512 544e546130e2d7e33e7f50158270474d9e1668eccba485282ceaae4164aa87172ad19dab24586be74cc7ae10ccd2b20b573b91afca9608f8bd6f9fa5cd8e165d

memory/4404-14-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp

memory/4404-15-0x00000000006E0000-0x00000000006EA000-memory.dmp

memory/4404-16-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku875939.exe

MD5 dde86946ae0a3aaad5ad942c46a1ee5a
SHA1 aecd70b237ccd91cbb287edfd4311cc3fd3ba26e
SHA256 82fcdf240ac57c96b7f59422b356344c41d8a0c64e00e222cd5d01b63252670a
SHA512 3f0294b3f78c30f801fbc4562075a1fc3aa53e032e66bac35378c57a455947899fdbc8d51e6b3ee4b70e1a0c977618833af00574ca4ed72849830a55ea0cb1c6

memory/4744-22-0x0000000004CB0000-0x0000000004D16000-memory.dmp

memory/4744-23-0x0000000004D50000-0x00000000052F4000-memory.dmp

memory/4744-24-0x0000000005300000-0x0000000005366000-memory.dmp

memory/4744-28-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-26-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-25-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-42-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-88-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-86-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-84-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-82-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-78-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-76-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-74-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-72-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-70-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-68-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-66-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-62-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-60-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-58-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-56-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-54-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-52-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-50-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-48-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-44-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-40-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-38-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-36-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-34-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-32-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-30-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-80-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-64-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-46-0x0000000005300000-0x000000000535F000-memory.dmp

memory/4744-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4304-2118-0x0000000000200000-0x0000000000230000-memory.dmp

memory/4304-2119-0x0000000004B20000-0x0000000004B26000-memory.dmp

memory/4304-2120-0x0000000005230000-0x0000000005848000-memory.dmp

memory/4304-2121-0x0000000004D20000-0x0000000004E2A000-memory.dmp

memory/4304-2122-0x0000000004B70000-0x0000000004B82000-memory.dmp

memory/4304-2123-0x0000000004C10000-0x0000000004C4C000-memory.dmp

memory/4304-2124-0x0000000004C50000-0x0000000004C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr062584.exe

MD5 9c8d09e9b9a28707a6a3bc0666010d3f
SHA1 739714c71e48c03e08a902f1c0fefb1d2c162c0a
SHA256 d81bf503d61284533d010e321c3db9e7f52be284b6f913c8d42cb4ffc7adbc82
SHA512 5cac99e4afa007a97047bac152030d4914cd73d609bcd08450968748a687bef78a585e9723904367ff196e3461f2a4d533cb0272550113a1c49249cae2f117bd

memory/2688-2129-0x00000000009E0000-0x0000000000A10000-memory.dmp

memory/2688-2130-0x00000000051C0000-0x00000000051C6000-memory.dmp