Malware Analysis Report

2025-01-23 06:48

Sample ID 241105-xd334axckl
Target 159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6
SHA256 159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6

Threat Level: Known bad

The file 159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Detects Healer an antivirus disabler dropper

Redline family

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 18:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 18:45

Reported

2024-11-05 18:47

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe
PID 4028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe
PID 4028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe
PID 2672 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe
PID 2672 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe
PID 2672 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe
PID 2672 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe
PID 2672 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe
PID 3568 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe C:\Windows\Temp\1.exe
PID 3568 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe C:\Windows\Temp\1.exe
PID 3568 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe C:\Windows\Temp\1.exe
PID 4028 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe
PID 4028 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe
PID 4028 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe

Processes

C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe

"C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1504

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe

MD5 9b730d4e9d4f97c0f68ebb4e7cc33499
SHA1 0a19f6c93dec9223cb61f1f5f7bd2a6cb2d53de1
SHA256 88f789c97469a9ca125d21e3ca11ef8e1603d8d98d4cc2fc2a1341848ecd4b99
SHA512 cc0198d6639b37eb6b61e0fda065110aa60837a737886aed0b5c1f7ad7849180387a7fcfe7c6468d43e99ce63b6cc194e72d4ab20ed1d29e2182ec06b8c93cf0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe

MD5 6738eac5b0f1682e8a405fe64bf387ea
SHA1 3869baf9b30f7db69d54a140db40a890f40fad98
SHA256 1fcd924e520106664ed759924eb74819828823ce1d13a6ec47604f67fa69e15c
SHA512 54940ba5013689b9fe7b97feb93d19341800a13cd3de07636834666e667b67f64baaab442578070c08cac9ebb0425c71ff23f14549829b2dccd4784009c5949c

memory/4176-14-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp

memory/4176-15-0x0000000000C70000-0x0000000000C7A000-memory.dmp

memory/4176-16-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe

MD5 4848af8c07a3dc5b75097ec73fe1a289
SHA1 0a018ec3cda318e097247a070e82cd1b13457660
SHA256 04871282c00f10501fdee9b7937fcc3eb7a495edf3cf97128c0a104cfe296b29
SHA512 f5635c39b6c2e9cd00c97ffd5f20ce5aa30cb63b09be0ddef6d7fd72070599c3d53388ffbf67afdfdf9de8515082ab6c56583bfe942fa50dcc40face07cf14fd

memory/3568-22-0x00000000025F0000-0x0000000002656000-memory.dmp

memory/3568-23-0x0000000004C10000-0x00000000051B4000-memory.dmp

memory/3568-24-0x00000000051C0000-0x0000000005226000-memory.dmp

memory/3568-26-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-40-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-88-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-86-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-84-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-82-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-80-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-76-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-74-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-72-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-70-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-68-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-66-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-64-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-62-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-60-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-58-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-56-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-54-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-50-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-48-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-46-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-44-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-42-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-38-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-36-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-34-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-32-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-30-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-28-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-78-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-52-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-25-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3568-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/2664-2118-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

memory/2664-2119-0x0000000002F00000-0x0000000002F06000-memory.dmp

memory/2664-2120-0x0000000005AE0000-0x00000000060F8000-memory.dmp

memory/2664-2121-0x0000000005600000-0x000000000570A000-memory.dmp

memory/2664-2122-0x0000000005530000-0x0000000005542000-memory.dmp

memory/2664-2123-0x0000000005590000-0x00000000055CC000-memory.dmp

memory/2664-2124-0x0000000005710000-0x000000000575C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe

MD5 740c8cc1da1e6c3a2db7551e24219cc6
SHA1 ae2036ad907706ee3fb57eeae5f3f1d719ebe913
SHA256 073cf5511f27d66a1c59c901566a7b4982c95d564daf96846554cce9abcb0e65
SHA512 b5504301eeef51aa80463a2947d1afd1b64d7baf04480ecc68cb88f38f5e94994e412bfb13fef62dfa8d50c5173e71feb77c01aa3687ea3fab8d400b88d27107

memory/400-2129-0x0000000000400000-0x0000000000430000-memory.dmp

memory/400-2130-0x0000000002460000-0x0000000002466000-memory.dmp