Malware Analysis Report

2025-01-23 07:04

Sample ID 241106-kjjv7awlht
Target a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085
SHA256 a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085

Threat Level: Known bad

The file a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 08:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 08:37

Reported

2024-11-06 08:40

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe
PID 3580 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe
PID 3580 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe
PID 2396 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe
PID 2396 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe
PID 2396 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe
PID 2396 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe
PID 2396 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe
PID 3364 wrote to memory of 5500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe C:\Windows\Temp\1.exe
PID 3364 wrote to memory of 5500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe C:\Windows\Temp\1.exe
PID 3364 wrote to memory of 5500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe C:\Windows\Temp\1.exe
PID 3580 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe
PID 3580 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe
PID 3580 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe

"C:\Users\Admin\AppData\Local\Temp\a221bb10c86612db062181a5e19b3267ac5daec86dc95ab4f729383f2bd60085.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3364 -ip 3364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibW1852.exe

MD5 bf5a07928be9b50c347d3ec7db56c88b
SHA1 8d27ba0961e1db1d21c5bc77a8ce6987e99111d2
SHA256 91293149a87a606abbfb989896999217b768abfbc8d6ee16a4ff8e0975d68753
SHA512 2c616c315ec519df19e18fd2ec564272e7f711205adad1153e438bb230dc5dff91881202347cc9d379604eea68caf3763f013a9162b1e9c7cd455ca95e494e64

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr981526.exe

MD5 7baef4c14b89887186e826964348c5c6
SHA1 24a50ffa4fd563c5ecee210ec4dbb842e5680e7a
SHA256 9a071223e1c784bc3448d37e46ba1ce5b59ee054512cdd4fc7b6c98da26dd8fa
SHA512 e4a2055adf3ba505990c6a61784633d5a423937fb48216daa79e9c89052a4f3bd24f15922f3b03ae4652af641e7a096c835fa99e50c85689f444b51b0e6a3551

memory/2576-14-0x00007FF9748C3000-0x00007FF9748C5000-memory.dmp

memory/2576-15-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

memory/2576-16-0x00007FF9748C3000-0x00007FF9748C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku889207.exe

MD5 dd23609fd8d30313c97ff94c0f85e602
SHA1 edaac4b03ea715066839c85cab303fce4b7fda70
SHA256 51a25e5893a13e8c71f4e86147b7907fbda8fbb3e0a4ef45648c52e7d604759e
SHA512 7894c0824f69124435375add8c48d9c976f0199cdf37d0d22edb46bab66892ca4b63d43c96742c5fc03045943ea7711905c7ab9bd65ae40d9d4385bdf3833d28

memory/3364-22-0x00000000024E0000-0x0000000002546000-memory.dmp

memory/3364-23-0x0000000004C10000-0x00000000051B4000-memory.dmp

memory/3364-24-0x00000000051C0000-0x0000000005226000-memory.dmp

memory/3364-26-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-40-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-88-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-86-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-84-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-80-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-78-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-76-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-72-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-70-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-68-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-66-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-64-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-62-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-60-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-58-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-56-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-54-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-52-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-50-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-46-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-44-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-42-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-38-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-36-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-34-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-32-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-30-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-28-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-82-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-74-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-48-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-25-0x00000000051C0000-0x000000000521F000-memory.dmp

memory/3364-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5500-2118-0x0000000000310000-0x0000000000340000-memory.dmp

memory/5500-2119-0x0000000004AF0000-0x0000000004AF6000-memory.dmp

memory/5500-2120-0x00000000052B0000-0x00000000058C8000-memory.dmp

memory/5500-2121-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

memory/5500-2122-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/5500-2123-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

memory/5500-2124-0x0000000004D40000-0x0000000004D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412334.exe

MD5 bcb94f7241b1f7fd9c6b91a062bb8ca5
SHA1 72b5deb8c10c12f81cf2cbc93ddb6d405918381e
SHA256 fa6168d79bf59f430e13b59f19f4faabb7b6ce2cf692f3c8cac858e57e80e913
SHA512 feb182ed5a0ade5ffd5ccf77e448bf4ce38124013fc8cd955739bd041b32a5c5e966488229ececdde5d0db1ade27740327f87f4e8dbb52c06c46cfbe51b6b9c4

memory/2648-2129-0x0000000000F60000-0x0000000000F90000-memory.dmp

memory/2648-2130-0x0000000005740000-0x0000000005746000-memory.dmp