Malware Analysis Report

2025-01-23 07:04

Sample ID 241106-24z7cazekd
Target e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5
SHA256 e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5

Threat Level: Known bad

The file e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

RedLine

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 23:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 23:08

Reported

2024-11-06 23:11

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe
PID 448 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe
PID 448 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe
PID 3872 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe
PID 3872 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe
PID 3872 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe
PID 3872 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe
PID 3872 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe
PID 1128 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe C:\Windows\Temp\1.exe
PID 1128 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe C:\Windows\Temp\1.exe
PID 1128 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe C:\Windows\Temp\1.exe
PID 448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe
PID 448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe
PID 448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe

"C:\Users\Admin\AppData\Local\Temp\e57823a14702f9bbd71b0799d58dfa0bbd3f7a27c9343fefaa8ce4ae29f2b6d5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1128 -ip 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNc3477.exe

MD5 bf19a49fadb23becb56c42ec2c78a617
SHA1 2588d2e12762fcefba6aa88e52eecfb5b68ee741
SHA256 1d3eca2e81269d6fad71c74bfe639822e1e5a69fd955f9360962426f6111ff22
SHA512 7dbb1cb1ef40bbc51737bf7bd8b89bca4c38e74228af99312194d20e0fd81e3d708bc2ded1e2ea123449ad7a51d72f72b083bfb7f4a3f0cabc60dbf5c07c5e96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr888155.exe

MD5 20d384919e8f2c33f39dc67eacdec88f
SHA1 7f750a5d9938f289514a1c8ac1c26ae46e6cf2ff
SHA256 448e5fa0e571c7e022f763cd84369d657f6412b16b45f817d139bdfc25777f25
SHA512 cd175101003366c0d980a3f0e886dac5efd6aec6e5fc78997d8cba98c713141ed8471053b9aa5991e4b240ff80334cf046f73cab4ab9a73462ef8535e7648523

memory/428-14-0x00007FFCD8FC3000-0x00007FFCD8FC5000-memory.dmp

memory/428-15-0x0000000000850000-0x000000000085A000-memory.dmp

memory/428-16-0x00007FFCD8FC3000-0x00007FFCD8FC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku936354.exe

MD5 971be1b8811be10af38360b3acf53340
SHA1 a8a8bbf2e490a1a3c69b85477d47b99c624451c4
SHA256 58b066d67afcc474035333c90f2d790efac9d7b5990b03e2f5bd86ef1263fafc
SHA512 ed9d288761fe0686309c44ef44f1bd358227d23aba42f2b5fe97370e19b7265b69686a33b9bcdb2458568603c5d2f7d47084437742b7215f811c428050e79989

memory/1128-22-0x0000000004D70000-0x0000000004DD6000-memory.dmp

memory/1128-23-0x0000000004DE0000-0x0000000005384000-memory.dmp

memory/1128-24-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/1128-30-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-40-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-88-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-84-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-82-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-80-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-78-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-77-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-74-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-72-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-68-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-66-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-64-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-62-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-60-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-58-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-56-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-54-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-52-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-48-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-46-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-44-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-43-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-38-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-36-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-34-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-32-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-86-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-70-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-50-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-28-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-26-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-25-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/1128-2105-0x0000000005560000-0x0000000005592000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/2216-2118-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2216-2119-0x00000000026C0000-0x00000000026C6000-memory.dmp

memory/2216-2120-0x0000000005440000-0x0000000005A58000-memory.dmp

memory/2216-2121-0x0000000004F30000-0x000000000503A000-memory.dmp

memory/2216-2122-0x0000000002730000-0x0000000002742000-memory.dmp

memory/2216-2123-0x0000000002790000-0x00000000027CC000-memory.dmp

memory/2216-2124-0x0000000004E30000-0x0000000004E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr939191.exe

MD5 45071787040ad8390d7c4f547fedab16
SHA1 151c351cf252d89f3dafd96f41418fac52944869
SHA256 cea5c1cdd735a9ef66d26917038096aec6148eb3996f81031f5a2dc61b9cda91
SHA512 36e9ee9fb23c5db660ebd01ab3aaa3590aa0fa6340c8572cdce3c53949915bad830ad1adea96284ac776d026f19ef680b17bbab29c7680b182c94c249d25bdf6

memory/2480-2129-0x0000000000A10000-0x0000000000A40000-memory.dmp

memory/2480-2130-0x0000000002B50000-0x0000000002B56000-memory.dmp