Malware Analysis Report

2025-01-23 06:44

Sample ID 241105-zf5e2s1kam
Target 04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224
SHA256 04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224

Threat Level: Known bad

The file 04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 20:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 20:40

Reported

2024-11-05 20:43

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe
PID 4276 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe
PID 4276 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe
PID 2540 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe
PID 2540 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe
PID 2540 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe
PID 2540 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe
PID 2540 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe
PID 4472 wrote to memory of 5232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe C:\Windows\Temp\1.exe
PID 4472 wrote to memory of 5232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe C:\Windows\Temp\1.exe
PID 4472 wrote to memory of 5232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe C:\Windows\Temp\1.exe
PID 4276 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe
PID 4276 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe
PID 4276 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe

"C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 205.122.19.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe

MD5 9afcd315555af981b5d94c5022c9f0e7
SHA1 0b43eb191a1510a9c2f55f6a1070b4aef36cbf92
SHA256 cf46255ce446bb3a21c8dc547cac51b35ede38d02844cb5a6fe8061443041ed7
SHA512 d85fe2f8a8f68a213211808e8d497cd71fbad1db7082927a6a9c186ec3db41018184be29ba8d11d12d05843f9ba65c83f73c4a43f9b11c04b0230578f53847f9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe

MD5 582c4c363c7d039a7708443ad94a6dda
SHA1 ff3398d82146f8671be007f5c7cbf1830ee46754
SHA256 67b494f41908f90aecdf67cb0e8280152173e01b0f22527e8b3ae75b507ecc19
SHA512 63d512d48866412bc5a87ba28faa63aaf37c3f4cd78f837f5686174be480702e00773427115ab03c532946bbec82ce21fc1dafe34dcb99dea2384410f030d1d7

memory/2940-14-0x00007FF985A93000-0x00007FF985A95000-memory.dmp

memory/2940-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp

memory/2940-16-0x00007FF985A93000-0x00007FF985A95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe

MD5 d5e743d6729af87fbf81830a92def4fe
SHA1 e713880ca8485fdf49f1746f384c7e25eed5a37c
SHA256 2f837e599a43a8e50bbdc5aa2a5d7fb89a69f147ffae280ebd7a1c2aeecce4c9
SHA512 60f2e6672302388505d0f0ed2cf7db189dc70af3e70ce6e5eaa93749b4ba1a50ec57c58ca8a7f6a889af669c134f21182476cda39e4da2366b780357543fb20b

memory/4472-22-0x00000000027A0000-0x0000000002806000-memory.dmp

memory/4472-23-0x0000000004D70000-0x0000000005314000-memory.dmp

memory/4472-24-0x0000000005320000-0x0000000005386000-memory.dmp

memory/4472-26-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-52-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-50-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-48-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-46-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-44-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-42-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-40-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-38-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-36-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-34-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-32-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-30-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-82-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-28-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-70-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-25-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-88-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-86-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-84-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-80-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-78-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-76-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-74-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-72-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-68-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-66-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-64-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-62-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-60-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-58-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-56-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-54-0x0000000005320000-0x000000000537F000-memory.dmp

memory/4472-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5232-2118-0x0000000000860000-0x0000000000890000-memory.dmp

memory/5232-2119-0x0000000002B30000-0x0000000002B36000-memory.dmp

memory/5232-2120-0x0000000005800000-0x0000000005E18000-memory.dmp

memory/5232-2121-0x00000000052F0000-0x00000000053FA000-memory.dmp

memory/5232-2122-0x00000000051E0000-0x00000000051F2000-memory.dmp

memory/5232-2123-0x0000000005240000-0x000000000527C000-memory.dmp

memory/5232-2124-0x0000000005290000-0x00000000052DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe

MD5 f21d6663134b5a38377f9f5a20d1c28a
SHA1 1b69cd0f79fe0b11a4b3c1b8e2b900e8b4d6b9dc
SHA256 8a8c2028a1162b48ef779861a755d201fb63cc2c4daf89f3ffc04b72ad4e9ce5
SHA512 c32a024b4ca88461fc44ede82e100d7bc57ae2306729b4b6a46b289c8f581d9f6d1b53538b74982ff97ca102e5f3e5dd900827008c7b79fc5f77858e12951073

memory/5632-2129-0x0000000000580000-0x00000000005B0000-memory.dmp

memory/5632-2130-0x0000000000CB0000-0x0000000000CB6000-memory.dmp