Malware Analysis Report

2025-01-23 07:45

Sample ID 241106-2qch5azepp
Target 119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6
SHA256 119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6
Tags
healer redline fukia discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6

Threat Level: Known bad

The file 119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6 was found to be: Known bad.

Malicious Activity Summary

healer redline fukia discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

RedLine

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 22:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 22:46

Reported

2024-11-06 22:49

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe
PID 4836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe
PID 4836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe
PID 2416 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe
PID 2416 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe
PID 2416 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe
PID 2416 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe
PID 2416 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe
PID 2416 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe

Processes

C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe

"C:\Users\Admin\AppData\Local\Temp\119ddebca543ae4b8e4356085e06ca25eaf5c17bf9a36f6b75ead0f184a388c6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOM62kp.exe

MD5 1fcec05d754e276a0b961b1cd000deb0
SHA1 d57d3fb2bd84b645674812d7e9dd3f1cf43d6a5a
SHA256 eeaadb84722c6b0407f3c9fd4bc77f802e9eed18096934b035263725b1cea2a1
SHA512 c10968ba8516e15910756b086fff40e0c06d5a99372b7ca23d29c4fa8ed845cce023523eaf3c6936b558d1e42abc1f100ac80ae397c96e24894b65b09388bd09

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bvQ18Bn.exe

MD5 462c4ee3ed98352a8e3f5b8b1b71dfac
SHA1 53e7780c3e7fe6e8fe288bde903d0774210308cf
SHA256 6215b8732177d0f5efec6b7e798416a29a67833258ff60860b79eb618d3808d1
SHA512 a0a828bbe9f604d66e83be73f6702cd0601adf01115ff1b7497be32d68dad2ae7c199a43ec0fb2f603dd63012a64a35719b9dfaa2e37e2296ef644219fa77989

memory/3292-15-0x0000000000890000-0x0000000000990000-memory.dmp

memory/3292-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3292-17-0x0000000000400000-0x0000000000754000-memory.dmp

memory/3292-18-0x0000000000400000-0x0000000000754000-memory.dmp

memory/3292-19-0x0000000002580000-0x000000000259A000-memory.dmp

memory/3292-20-0x0000000004E80000-0x0000000005424000-memory.dmp

memory/3292-21-0x00000000028A0000-0x00000000028B8000-memory.dmp

memory/3292-43-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-49-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-47-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-45-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-41-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-39-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-37-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-35-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-33-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-31-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-29-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-27-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-25-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-23-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-22-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/3292-50-0x0000000000890000-0x0000000000990000-memory.dmp

memory/3292-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3292-54-0x0000000000400000-0x0000000000754000-memory.dmp

memory/3292-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dNW03ve.exe

MD5 a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA1 3d06413341893b838549939e15f8f1eec423d71a
SHA256 1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512 d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

memory/2248-59-0x0000000000F40000-0x0000000000F72000-memory.dmp

memory/2248-60-0x0000000005D80000-0x0000000006398000-memory.dmp

memory/2248-61-0x00000000058E0000-0x00000000059EA000-memory.dmp

memory/2248-62-0x0000000005820000-0x0000000005832000-memory.dmp

memory/2248-63-0x0000000005880000-0x00000000058BC000-memory.dmp

memory/2248-64-0x00000000059F0000-0x0000000005A3C000-memory.dmp