Malware Analysis Report

2025-01-23 06:42

Sample ID 241106-szsr2avnhp
Target 888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1
SHA256 888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1

Threat Level: Known bad

The file 888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 15:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 15:34

Reported

2024-11-06 15:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe
PID 3892 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe
PID 3892 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe
PID 1736 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe
PID 1736 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe
PID 1736 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe
PID 1736 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe
PID 1736 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe
PID 984 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe C:\Windows\Temp\1.exe
PID 984 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe C:\Windows\Temp\1.exe
PID 984 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe C:\Windows\Temp\1.exe
PID 3892 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe
PID 3892 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe
PID 3892 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe

Processes

C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe

"C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 984 -ip 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe

MD5 29510d025d8e9e46d628898e2e434fb1
SHA1 161c86db7f89ccac724d2b55664a0f30fe1cc59c
SHA256 ec166d6a137a963cecd9bad6a03cae6e675bdb98181c246c252e56c51e95c440
SHA512 a2454bf9306cfde8ca70982a38d462aeca25fb21f0c74d33de3971552adfdfb676caf44adc33bdc06d93943f8023c63e8a5cf69f88d91732a180a03785e29a51

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe

MD5 73397f266a43391d786838a8438493ef
SHA1 ef22bc8d6608805b21f79d52deedfc1baf1842a2
SHA256 f103dbef491a7beef6e2f6e3ca0fa413dc16e8c136ef4683b782adc7da21f3dd
SHA512 3d8597bb915c6a1ce9365194b83c4c6c1719424a383e4797257b8ea1e10d9d8eae433965714db958bc37e08809fe68d0e6386a766a6ca06026af03e2573438da

memory/2892-15-0x0000000000F80000-0x0000000000F8A000-memory.dmp

memory/2892-14-0x00007FF8FC283000-0x00007FF8FC285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe

MD5 9bab8c67ca17076317b5b1b0672b428a
SHA1 ad0a841eb1e8bfe01728aad97fc4ab623872813e
SHA256 56a5790464c8f55e59a60548479a4a3cfe621f7edc20ac79a959042c41cdb92b
SHA512 6cd85cde9c8c62a1bb93188d1dfd5f8eeebab74108d36a38666c05f2980a4d07bf8ffc4c689bf5d8e2306c444f9265765fce1c966916a7d0ab87cbf7e898dd86

memory/984-21-0x00000000024F0000-0x0000000002556000-memory.dmp

memory/984-22-0x0000000004D20000-0x00000000052C4000-memory.dmp

memory/984-23-0x0000000002800000-0x0000000002866000-memory.dmp

memory/984-87-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-85-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-83-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-81-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-77-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-73-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-71-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-69-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-68-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-65-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-61-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-57-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-55-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-53-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-51-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-47-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-43-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-41-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-39-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-37-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-35-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-31-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-27-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-25-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-79-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-75-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-63-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-59-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-49-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-45-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-33-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-29-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-24-0x0000000002800000-0x000000000285F000-memory.dmp

memory/984-2104-0x0000000002890000-0x00000000028C2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/6028-2117-0x0000000000070000-0x00000000000A0000-memory.dmp

memory/6028-2118-0x00000000008F0000-0x00000000008F6000-memory.dmp

memory/6028-2119-0x000000000A4A0000-0x000000000AAB8000-memory.dmp

memory/6028-2120-0x0000000009F90000-0x000000000A09A000-memory.dmp

memory/6028-2121-0x0000000002640000-0x0000000002652000-memory.dmp

memory/6028-2122-0x0000000009E80000-0x0000000009EBC000-memory.dmp

memory/6028-2123-0x0000000000860000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe

MD5 dbc1a106c3db5e1aba72111e14999cb6
SHA1 c71b410f458314a9a4d0d6d443fbea215d4d1b84
SHA256 53c9c4ec0862154430e3085718e274c05e99b05d945fcc3f62c8890ebc7558ed
SHA512 aa0e084c6bc97dc8c4f56a2e29505cfcb3439bc3cab7dac59d5cb0dd70a23badbb73cdbd8522aae2b2ce0f11d1417390ad8847699fefcd5fcf9fb0eaee7ef091

memory/6096-2128-0x0000000000E10000-0x0000000000E40000-memory.dmp

memory/6096-2129-0x0000000001700000-0x0000000001706000-memory.dmp