Malware Analysis Report

2025-01-23 07:04

Sample ID 241106-qjqavs1fkk
Target 43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb
SHA256 43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb

Threat Level: Known bad

The file 43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Redline family

RedLine

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 13:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 13:17

Reported

2024-11-06 13:20

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe
PID 2952 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe
PID 2952 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe
PID 1968 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe
PID 1968 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe
PID 1968 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe
PID 1968 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe
PID 1968 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe
PID 5076 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe C:\Windows\Temp\1.exe
PID 5076 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe C:\Windows\Temp\1.exe
PID 5076 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe C:\Windows\Temp\1.exe
PID 2952 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe
PID 2952 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe
PID 2952 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe

"C:\Users\Admin\AppData\Local\Temp\43f0ceec0e6edd67f3ddd5a6cfad9501bf8dcbd1804d6d5f4484e64eeb15eacb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNN7126.exe

MD5 5738d3f013981ecbea7b167420b83e91
SHA1 f6a60194c0c39974c73153507b7d4b8f6905043f
SHA256 b977d12703d54ec72dd381dd77aacde08b796cdf8e36ae03ac1f2d30730986c9
SHA512 b8253f7e1b486a6ce84cc46685bdcc883efad0cebd72ca4ab1c50549ebee935966ad99a54ad49ba434da1e0699140619776e071a0d750aa19317ad9bedf9d569

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr336193.exe

MD5 991d702fe2bb7e7e9b91175c72fc1b41
SHA1 ee3ffcd9a177aa5e85a8c74afb7f8510f49506de
SHA256 28671946d6556d49c37b273f9e4c03cde624219815e12be1f14a4297fab3b634
SHA512 456d2071671c0efa59a588126f98a7c7d24f9b145b569b9ee549a1d7e800ddd5cf14698ba9435cc441bb9a20dc16cae6df98223fc65659c11919731eb7fb2ac8

memory/2436-14-0x00007FFEAE8B3000-0x00007FFEAE8B5000-memory.dmp

memory/2436-15-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

memory/2436-16-0x00007FFEAE8B3000-0x00007FFEAE8B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku156425.exe

MD5 3e89d36743e56837b3f1862900b4fb6d
SHA1 be3f3f81c429bd135877117b2b5eaa860fb62464
SHA256 99d5ea65aaec655a1b4d07f39613c2510326d48b1792206fef39179e54d4f225
SHA512 b93ab71f55f9a8f0c214a14fc6b34ebd683fc7b2481287a3d4932563f3a15304095bd2ab7ae45128389b601352b69568d1ba8db076e6d79cd21ba520d5f764aa

memory/5076-22-0x00000000026D0000-0x0000000002736000-memory.dmp

memory/5076-23-0x0000000004D40000-0x00000000052E4000-memory.dmp

memory/5076-24-0x00000000052F0000-0x0000000005356000-memory.dmp

memory/5076-46-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-56-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-88-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-84-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-82-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-80-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-76-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-74-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-72-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-70-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-68-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-66-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-64-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-62-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-60-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-58-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-54-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-52-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-50-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-48-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-44-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-40-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-38-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-37-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-32-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-30-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-29-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-86-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-78-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-42-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-34-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-26-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-25-0x00000000052F0000-0x000000000534F000-memory.dmp

memory/5076-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3664-2118-0x0000000000130000-0x0000000000160000-memory.dmp

memory/3664-2119-0x0000000004910000-0x0000000004916000-memory.dmp

memory/3664-2120-0x00000000050E0000-0x00000000056F8000-memory.dmp

memory/3664-2121-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

memory/3664-2122-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/3664-2123-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

memory/3664-2124-0x0000000004B60000-0x0000000004BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr366859.exe

MD5 01995627cb8d1eab23bf4776248e8c88
SHA1 e5d3ad2c61028d2b625c1b9fda23fe68e19615a4
SHA256 4c2a9d9c683e853ce3c26e0717f0d48f6c03d89ca82675025fbb8283a95ec7a3
SHA512 424b25596d071e268cac753e7c25c36f16b6d42e087b42e2f5b6925d4f609f7bb51015a87982b19f0f410da181152b01e99c04fd2d820480a8c63bfe720ffbf7

memory/4388-2129-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/4388-2130-0x0000000004BA0000-0x0000000004BA6000-memory.dmp