Malware Analysis Report

2025-01-23 06:50

Sample ID 241105-zep9qsyfll
Target 5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518
SHA256 5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518

Threat Level: Known bad

The file 5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

RedLine

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 20:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 20:38

Reported

2024-11-05 20:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe
PID 428 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe
PID 428 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe
PID 868 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe
PID 868 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe
PID 868 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe
PID 868 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe
PID 868 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe
PID 4648 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe C:\Windows\Temp\1.exe
PID 4648 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe C:\Windows\Temp\1.exe
PID 4648 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe C:\Windows\Temp\1.exe
PID 428 wrote to memory of 5560 N/A C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe
PID 428 wrote to memory of 5560 N/A C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe
PID 428 wrote to memory of 5560 N/A C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe

"C:\Users\Admin\AppData\Local\Temp\5def0112af764736f2bdc5ee4782f67969f2f08d64242935e0d0240db00cd518.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4648 -ip 4648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZG4748.exe

MD5 e09d9002e509192bfab96eb536832cc6
SHA1 f9b2b49aece5c2361a173327a7dcb842c9f52c84
SHA256 cc0497d737a6af9bd93aa58255587ad2e9ce58d21d3868b783daab005e28fe4e
SHA512 dd5945dc6ee69332b552c3108cd695b176fed0d1bc042ddd5d308b70858c37e0f2cb2fb41be3021e06b4a8d4d1ad303dbb2a4c76a419ba186755044a1311551a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr875416.exe

MD5 b6bd3599fa4868bc2efea24d5b8d60f1
SHA1 44a87012a5e5267f6de609340235205eb820bf3a
SHA256 b254c0877e6a183ec792f1cfee5c75506f874abb68afe51dfd41b22a8203a971
SHA512 995cef82099d2a57b740f679529493f0e662fd78ee423d76a4ea75b1fcae56e70bca1b1f445189d70ac7d41337ba91daa6c36804bd0c364e97316faba1cbe5f6

memory/368-14-0x00007FF91CB13000-0x00007FF91CB15000-memory.dmp

memory/368-15-0x0000000000B90000-0x0000000000B9A000-memory.dmp

memory/368-16-0x00007FF91CB13000-0x00007FF91CB15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku999223.exe

MD5 a375950565a2bfc63c3246f63e083f41
SHA1 82e35c15b21400752dd6594c41715c571c1fd3f1
SHA256 a21fe7db763d67507dc3f5cd8a97a3a5d8b44ed91c959b3c09facb311aa9deaf
SHA512 af30f812896f56926887e8a2af3013a56868688ccc78e068d9bd1268a92fc4a40d177eb65b3b237ec1fe63379e9f07fc402d29e61ae5d444ca9b5fb39da1b8f0

memory/4648-22-0x0000000002570000-0x00000000025D6000-memory.dmp

memory/4648-23-0x0000000004D50000-0x00000000052F4000-memory.dmp

memory/4648-24-0x00000000025E0000-0x0000000002646000-memory.dmp

memory/4648-26-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-25-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-42-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-86-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-84-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-82-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-80-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-78-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-74-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-72-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-70-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-68-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-66-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-64-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-62-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-60-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-58-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-56-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-54-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-52-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-50-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-48-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-46-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-40-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-38-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-36-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-34-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-32-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-30-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-28-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-88-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-76-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-44-0x00000000025E0000-0x000000000263F000-memory.dmp

memory/4648-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5548-2118-0x00000000005E0000-0x0000000000610000-memory.dmp

memory/5548-2119-0x0000000002890000-0x0000000002896000-memory.dmp

memory/5548-2120-0x00000000055C0000-0x0000000005BD8000-memory.dmp

memory/5548-2121-0x00000000050B0000-0x00000000051BA000-memory.dmp

memory/5548-2122-0x0000000004E50000-0x0000000004E62000-memory.dmp

memory/5548-2123-0x0000000004FE0000-0x000000000501C000-memory.dmp

memory/5548-2124-0x0000000005020000-0x000000000506C000-memory.dmp

memory/5560-2129-0x0000000000360000-0x0000000000390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr600069.exe

MD5 059a62c0b123cc855f968964ab1d6972
SHA1 e7886089ac37f7228c2dee624819f0573b6b8c09
SHA256 32af5a9a893ea3440e14a22cbdf2fc64c21e75072d34e79898e1bff1b456482c
SHA512 eaac7b5b7851d943bc83cd0efba406bad0c1832f61b1c470710347a536437ec09939660f1887e82370dfc4b2eb0e44945b7e16e8f67685439faa3bcb02c682b2

memory/5560-2130-0x0000000000E10000-0x0000000000E16000-memory.dmp