Malware Analysis Report

2025-01-23 07:04

Sample ID 241106-la2v3syapm
Target 58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a
SHA256 58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a

Threat Level: Known bad

The file 58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 09:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 09:20

Reported

2024-11-06 09:23

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe
PID 3204 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe
PID 3204 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe
PID 2556 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe
PID 2556 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe
PID 2556 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe
PID 2556 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe
PID 2556 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe
PID 3968 wrote to memory of 5900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe C:\Windows\Temp\1.exe
PID 3968 wrote to memory of 5900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe C:\Windows\Temp\1.exe
PID 3968 wrote to memory of 5900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe C:\Windows\Temp\1.exe
PID 3204 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe
PID 3204 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe
PID 3204 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe

"C:\Users\Admin\AppData\Local\Temp\58fdf0e159fcab9e0070ffc150318f44f1bf2a7602944915b9ec7a09e48b1c2a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zivU9610.exe

MD5 411c92671c79a7fd1fbfdff1c9d509d9
SHA1 623c27d9dcefdc42fba8a7fd0c7b42da0531514e
SHA256 4f9bf50b6b6e23080ccce211edc57be2e9024104706e6cb210b9949d30baa415
SHA512 72b3c49d1ad38e6c353de6fce8bae6d01f2fce1aea12e142f18cbdc68f61d92223906f25cab5c39b509d3f59a1084c01f84d6f7b95f16d88cf762c8c3e367162

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr226234.exe

MD5 91a0f39851a625c7a142dd866de7e2d5
SHA1 b0712358920b2991d0201a1efdb6ccd5d1de82df
SHA256 7aa474077726ec54f428d13b8ca62be5314c347bda0b0cacf84182b9a86c7b3c
SHA512 0ebd21d69214dee4c44e9a43dc3839976927ef3a9a3946ffdcb216136f0bc8417d5f011575ef56d949cc9ed1748c3921d9da0bfa7400174436a320f0a9b7f0b3

memory/856-14-0x00007FFBFAA23000-0x00007FFBFAA25000-memory.dmp

memory/856-15-0x0000000000630000-0x000000000063A000-memory.dmp

memory/856-16-0x00007FFBFAA23000-0x00007FFBFAA25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku114842.exe

MD5 9feef89a1dfcd50bb543a5556e03e584
SHA1 7780f29d130fc3de2ecb1360b3ee22e401d3c83c
SHA256 7a8d9f192fef41f7f4f3ee7efa2a9806a0d14ad4fb19940b754c85caaf4d5b4f
SHA512 387a2e7dfe84f899ad020a9d372e40ce3beb1a547c1bc117e95ecdaf34ad8d70f88b0f59d80c202e961bd7e4572577639a3778e9ebdc1ae9f2cb6961bea287d3

memory/3968-22-0x0000000004B50000-0x0000000004BB6000-memory.dmp

memory/3968-23-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/3968-24-0x00000000051B0000-0x0000000005216000-memory.dmp

memory/3968-42-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-88-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-86-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-84-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-82-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-80-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-78-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-76-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-72-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-70-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-68-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-66-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-64-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-62-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-60-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-58-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-56-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-54-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-52-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-50-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-48-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-44-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-40-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-38-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-36-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-34-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-32-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-30-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-28-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-74-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-26-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-46-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-25-0x00000000051B0000-0x000000000520F000-memory.dmp

memory/3968-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5900-2117-0x00000000000B0000-0x00000000000E0000-memory.dmp

memory/5900-2119-0x0000000000930000-0x0000000000936000-memory.dmp

memory/5900-2120-0x0000000005040000-0x0000000005658000-memory.dmp

memory/5900-2121-0x0000000004B30000-0x0000000004C3A000-memory.dmp

memory/5900-2122-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/5900-2123-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

memory/5900-2124-0x0000000004AE0000-0x0000000004B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr725544.exe

MD5 3d25f4191437a967e08133f48f3f1065
SHA1 e7379c4d933841603228895902738af341891981
SHA256 197c3f96acdbe4ce19f387546089cc3d4ed74c789377388cea05eb9553e210cf
SHA512 30c26acc16b912a13183cee28b422498d0edf7c0eaf835330918015a65b5e217b2543f18ecb942500f2d874c58d4cf3cd853de0bff583fbbb92a6fdd7c5a94aa

memory/4444-2129-0x00000000005D0000-0x0000000000600000-memory.dmp

memory/4444-2130-0x00000000025B0000-0x00000000025B6000-memory.dmp