Malware Analysis Report

2025-01-23 06:42

Sample ID 241106-2frv3azajc
Target e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41
SHA256 e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41

Threat Level: Known bad

The file e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 22:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 22:31

Reported

2024-11-06 22:34

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe
PID 3680 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe
PID 3680 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe
PID 3020 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe
PID 3020 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe
PID 3020 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe
PID 3020 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe
PID 3020 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe
PID 924 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe C:\Windows\Temp\1.exe
PID 924 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe C:\Windows\Temp\1.exe
PID 924 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe C:\Windows\Temp\1.exe
PID 3680 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe
PID 3680 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe
PID 3680 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe

"C:\Users\Admin\AppData\Local\Temp\e6367c098dc605d706ba74980f6fd5c66a8dec0346a4ddecd58df06f93f9ee41.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 924 -ip 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitm4525.exe

MD5 d33aa362312528a4d2960a491a4da208
SHA1 17441e065526db9de2a65f1d1037b83f40100606
SHA256 0b08989f7e61e8706faca9944766a47f686218cea124199bc64fcd4cd2c8b712
SHA512 8fdbb779f26e38afa0fdd45f55ad21ef0d286d3bc879fde0a04d3cddf287f3bcf6813b8353edee83da10238a54870287267b32b492131c17e01c27f95d96e0f4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr152066.exe

MD5 c442d022d30680b56af7267454c3a321
SHA1 d5c00cee96792577ec8bb7311b9b83552f73a388
SHA256 257b3cbfb2dd26704b838c169fc52f5d7ac85c25031f3ad7229fe63e7f2e4e55
SHA512 5ea187c52a04d57a71557abaf421dca273dd6c93d3aaa9de9bc8dfe03bd00a9a08daa39e8542c56ce9e5a79f8986e9094ab1de99f22b229641c0e5c370ce39f2

memory/5092-14-0x00007FFF97FA3000-0x00007FFF97FA5000-memory.dmp

memory/5092-15-0x0000000000110000-0x000000000011A000-memory.dmp

memory/5092-16-0x00007FFF97FA3000-0x00007FFF97FA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739333.exe

MD5 cd2b7a7f9a48f23bb35bf76f73c4b665
SHA1 a33756f4efa46fef5eaf671e41913a0001178286
SHA256 64b4d3a95d4efe20958d8eb8782a607305bcd6b3f03fca98091b83d3ecac260b
SHA512 1a0767e168177c4ed53543cb86d1f4d99ef505620fd703e34607eea3e5bb83e616b08322a6722f0adbc90ee2a73453e2b09298de3a8dd07a064defbac477b6a2

memory/924-22-0x0000000002310000-0x0000000002376000-memory.dmp

memory/924-23-0x0000000004D70000-0x0000000005314000-memory.dmp

memory/924-24-0x0000000002710000-0x0000000002776000-memory.dmp

memory/924-32-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-40-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-88-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-86-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-84-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-82-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-80-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-78-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-76-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-74-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-72-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-68-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-66-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-64-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-62-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-60-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-58-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-56-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-54-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-52-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-50-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-46-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-44-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-42-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-38-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-36-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-34-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-30-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-28-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-70-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-48-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-26-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-25-0x0000000002710000-0x000000000276F000-memory.dmp

memory/924-2105-0x0000000005420000-0x0000000005452000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4752-2118-0x0000000000D70000-0x0000000000DA0000-memory.dmp

memory/4752-2119-0x0000000002E40000-0x0000000002E46000-memory.dmp

memory/4752-2120-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/4752-2121-0x00000000057C0000-0x00000000058CA000-memory.dmp

memory/4752-2122-0x00000000056F0000-0x0000000005702000-memory.dmp

memory/4752-2123-0x0000000005750000-0x000000000578C000-memory.dmp

memory/4752-2124-0x00000000058D0000-0x000000000591C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412848.exe

MD5 8b5aceef8dd9d5ce72d8ee6d8d4cfda1
SHA1 c3535872ed98b36cb8b90cf89c229752c7c6e8ea
SHA256 e02eba7435e4c5efcdd5211079032af30791b0dc809bee9bf06dc13be999d01b
SHA512 f6b979a5164539974ee965c926098f01433280a8657e6b855d51d11ae04a1a7133058f3b45f80a5a1d18703afca8c8aaa660d1fc09d052f35b3537a0789ab422

memory/3280-2129-0x0000000000A70000-0x0000000000AA0000-memory.dmp

memory/3280-2130-0x0000000001010000-0x0000000001016000-memory.dmp