Malware Analysis Report

2025-01-23 06:42

Sample ID 241106-1plvqsydjb
Target ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b
SHA256 ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b

Threat Level: Known bad

The file ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Healer

RedLine

Detects Healer an antivirus disabler dropper

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 21:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 21:49

Reported

2024-11-06 21:52

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe
PID 4504 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe
PID 4504 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe
PID 708 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe
PID 708 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe
PID 708 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe
PID 708 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe
PID 708 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe
PID 2332 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe C:\Windows\Temp\1.exe
PID 2332 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe C:\Windows\Temp\1.exe
PID 2332 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe C:\Windows\Temp\1.exe
PID 4504 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe
PID 4504 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe
PID 4504 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe

"C:\Users\Admin\AppData\Local\Temp\ed6e82d6ac118051e62d6023697de2128cee4f8a774b661eb181a49d1f90422b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2332 -ip 2332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCI1233.exe

MD5 c26db34e16225f634fe512aeea612d1c
SHA1 4f4dd3a7d99b3b4e69c3f1330a3ca3d2632bb5e3
SHA256 8937ddc81457d4ee0ef128b6c9283e25d3867ce779d60e32ccb4d5157c3148f7
SHA512 a972474f2d00c538586194b4991202fee89c19b76f5b1b120cf92ab326d4b0831f0da167d7225d9692d4b052f2ea4b171527e75e7ba71205ae73a501d22d7b3c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr750561.exe

MD5 b51c60edf3df3d383453f019f1d7a840
SHA1 cf71b81595ce816d7040d5e4944c4c4810751a17
SHA256 a3437876c3311946ea8f8c365e178d1321b026f80cc773de07539ae10b8389ed
SHA512 fbaf3e36a8d439fdf90f7539269cddf008420c34b998d2f5f4f491b6ab766a0f7ed9801f7b6ea74fd6e8091ba9aacc445bdc58a961e1f0ca91406e18922bcc8f

memory/1812-14-0x00007FF974703000-0x00007FF974705000-memory.dmp

memory/1812-15-0x0000000000930000-0x000000000093A000-memory.dmp

memory/1812-16-0x00007FF974703000-0x00007FF974705000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063336.exe

MD5 5b96e94874cdfd3320b92c9fda66de05
SHA1 b76dface935c300d103c89a67233f87c0793a661
SHA256 e7fb62788347f4a445669b10222f3d95c087da25c368adab1e4796d065150db4
SHA512 c71a1dd0a7c6a5f31f7024a6fc16cba59928359f50c280a312500ac9a089db2de2d410374c432f25277578dd31bace7b646a912d6c8e392bcf539fbfded406bd

memory/2332-22-0x0000000002620000-0x0000000002686000-memory.dmp

memory/2332-23-0x0000000004D20000-0x00000000052C4000-memory.dmp

memory/2332-24-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/2332-26-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-40-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-88-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-86-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-84-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-80-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-76-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-74-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-72-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-70-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-68-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-66-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-64-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-62-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-60-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-58-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-56-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-54-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-50-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-48-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-46-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-44-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-42-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-38-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-36-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-34-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-32-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-30-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-28-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-82-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-78-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-52-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-25-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/2332-2105-0x0000000004CD0000-0x0000000004D02000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/1376-2118-0x00000000002B0000-0x00000000002E0000-memory.dmp

memory/1376-2119-0x0000000004BD0000-0x0000000004BD6000-memory.dmp

memory/1376-2120-0x0000000005240000-0x0000000005858000-memory.dmp

memory/1376-2121-0x0000000004D30000-0x0000000004E3A000-memory.dmp

memory/1376-2122-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1376-2123-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

memory/1376-2124-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr542973.exe

MD5 5b1600ad789a4771f1112c0982359add
SHA1 2f42ee59f72a4aa1d3f902dccc05b468c436a49b
SHA256 ea3945650cbd6bc27785b7da78f6aa8c258bb9eba88422b8a46adf16495fa495
SHA512 4bf2108a05926c860b4b6aa896584894005110060c5893c3ceefe47a3022e3dfced15ef876eaeb29c7574a7c85d5b899a26117c89b2dec205787beedf726bbdc

memory/5524-2129-0x0000000000820000-0x0000000000850000-memory.dmp

memory/5524-2130-0x00000000029F0000-0x00000000029F6000-memory.dmp