Malware Analysis Report

2025-01-23 06:00

Sample ID 241106-3dmc8syrgs
Target 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a
SHA256 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a

Threat Level: Known bad

The file 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 23:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 23:23

Reported

2024-11-06 23:26

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe
PID 3668 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe
PID 3668 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe
PID 4940 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe
PID 4940 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe
PID 4940 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe
PID 324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
PID 324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
PID 324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
PID 324 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe
PID 324 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe
PID 324 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe
PID 2212 wrote to memory of 5464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe C:\Windows\Temp\1.exe
PID 2212 wrote to memory of 5464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe C:\Windows\Temp\1.exe
PID 2212 wrote to memory of 5464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe C:\Windows\Temp\1.exe
PID 4940 wrote to memory of 5148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe
PID 4940 wrote to memory of 5148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe
PID 4940 wrote to memory of 5148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe

Processes

C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe

"C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe

MD5 e4ef7dfd93dea32928ebeba3b2ce7bb9
SHA1 d898e18016487c44de13e376fc2a03ba52500c7f
SHA256 fb984c3ea9bd73a5492cfb5f8cbe96efab00cccf05ff14339dc369c9d44cc6ad
SHA512 4eb41fbd9954e6323ebf1d0cb4e5b47909018a926fac6d513beb6e45ad0880c82b1d5632e304b795165363e4a1d363cbfe42811f5a7f7e9feeb8f21ddb034685

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe

MD5 b1b17e50a2f82d03df9e21458a3b38bd
SHA1 e784a0d759645adc7c2200f21a23e992797318b3
SHA256 9f7947645dd14d4830abc380934766586345dc6503bf0d3070aea01cd17b1ade
SHA512 b0884ccf4d2acfbe3b78d97a1b151d6ea8fff8d231da322c19a99c228a63fc3ddd17e7c07cb90ccbfaccae93757b8beb36153f9b3b59db37e4ce61360003da0b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe

MD5 e985998f41151beecdc63faae3fb48a6
SHA1 b5ddb794e981d65ea24b971460ad5ae6829bc425
SHA256 d2533596ac5658440b3e57d5ae6b53b6a8a5f016203b9e582fadca9347b7dbbe
SHA512 cd82da593e5b90ce2c174ba3a3d9cee5c9539e0c37235d802e5c75efd4362190296f73ee30a1a93e514e11d964e2c283cb51964aa96f668adb7f01049dcacb38

memory/2676-22-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/2676-23-0x00000000023C0000-0x00000000023DA000-memory.dmp

memory/2676-24-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/2676-25-0x0000000004A60000-0x0000000004A78000-memory.dmp

memory/2676-29-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-53-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-51-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-49-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-47-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-45-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-43-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-42-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-39-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-37-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-35-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-33-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-31-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-26-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-27-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/2676-54-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/2676-55-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/2676-57-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe

MD5 0f124e24fe73195dd107aab785488ca9
SHA1 22d33378786cca1d90b5f49358fb93156cb52a45
SHA256 77fe098332cb95ab56650e8512439805bcad3d2863a519369c4c5b1e5ff78cb6
SHA512 d2351dc6355f4d6cf3290c2c84ba2560a5df289cdb28bd410af1edbeb7cf6423e1fa8354e8e65336daec0bec74624f323b4f13ab5eed2c95b77189ba119343e9

memory/2212-62-0x00000000025E0000-0x0000000002648000-memory.dmp

memory/2212-63-0x0000000005230000-0x0000000005296000-memory.dmp

memory/2212-73-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-79-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-97-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-93-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-91-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-89-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-87-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-85-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-83-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-81-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-77-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-75-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-71-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-69-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-95-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-67-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-65-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-64-0x0000000005230000-0x0000000005290000-memory.dmp

memory/2212-2206-0x0000000005420000-0x0000000005452000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5464-2219-0x0000000000CC0000-0x0000000000CEE000-memory.dmp

memory/5464-2220-0x00000000055E0000-0x00000000055E6000-memory.dmp

memory/5464-2221-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/5464-2222-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/5464-2223-0x0000000005630000-0x0000000005642000-memory.dmp

memory/5464-2224-0x00000000056D0000-0x000000000570C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe

MD5 8abb261bd0e7255e98af2fdcc12caa64
SHA1 880211c94ad958f54123bf8e38bf536e37448af8
SHA256 43398a966aeef51c58f3520b0b4ae432ccb3e96641b59fcb1e3522739520701d
SHA512 9d512eeb75ae89e32963d6b1ceb129d8274de4bc1d3950c6041d8da6e931c0eb0652d9770c95b528abbfb5d8b34cf9b71ff8380007284429eae143cdea61a2c4

memory/5464-2229-0x0000000005710000-0x000000000575C000-memory.dmp

memory/5148-2230-0x0000000000170000-0x00000000001A0000-memory.dmp

memory/5148-2231-0x0000000002380000-0x0000000002386000-memory.dmp