Malware Analysis Report

2025-01-23 07:04

Sample ID 241106-tdtymstdmk
Target 2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42
SHA256 2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42

Threat Level: Known bad

The file 2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Healer

RedLine

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 15:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 15:56

Reported

2024-11-06 15:59

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe
PID 2060 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe
PID 2060 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe
PID 4524 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe
PID 4524 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe
PID 4524 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe
PID 4524 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe
PID 4524 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe
PID 3080 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe C:\Windows\Temp\1.exe
PID 3080 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe C:\Windows\Temp\1.exe
PID 3080 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe C:\Windows\Temp\1.exe
PID 2060 wrote to memory of 5592 N/A C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe
PID 2060 wrote to memory of 5592 N/A C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe
PID 2060 wrote to memory of 5592 N/A C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe

"C:\Users\Admin\AppData\Local\Temp\2ae46164d66af75d71bbffbea9f11f41cad0b46bcd009cd50a26b4f0e67d0d42.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3080 -ip 3080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilJ8895.exe

MD5 abe1717cab5c64bb06f8245a924a0caf
SHA1 e71e1c8f92c5a20b203568f824c6f79cd33e1606
SHA256 80250d7509189ead13e3efecde949d31f50b72acc6a120952fba89cd3c9e55d2
SHA512 9900f13293000fb3523ed69c8662fb3ee11963e4a5f6ab5b813d7a2dc52773be340de308ebb93908d996b2ae09630b7e3dcb9883d9749a2e3424bce2d738035b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr869080.exe

MD5 c1d1fed84f84eaf7702195635764369c
SHA1 35537da9ef60d781e9ec31c2ed6c5a61758764e8
SHA256 719141f48171c23f04aac89b644a4d15d22543024880e19c38ab225a83f3b28e
SHA512 53a6d068b902e10e02713c03bf8339e3fc17516c8ce744fab45194ec88a22e05ac4454767a984ae85658fabd87a0878179ed7b3ba2da23d9ea1361d47082672d

memory/976-14-0x00007FFEB35E3000-0x00007FFEB35E5000-memory.dmp

memory/976-15-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

memory/976-16-0x00007FFEB35E3000-0x00007FFEB35E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku745855.exe

MD5 39fb6a4a9717eb47ad141ff3fad181cb
SHA1 3371d3f27bcc0c5fd49e1338f54ddcab74cfd444
SHA256 32ea043e7fd9ea963267325511d695b58cb6ac560ee086ac9d7135dda3aa46ce
SHA512 c5839ed29360ddb1c24afe948ae699647a069bcec5973d7f425a904515584b024712e196e69069a6c5aaa8073fd536f4c9cf79603c9a80ccc2857014bcd11e95

memory/3080-22-0x0000000002540000-0x00000000025A6000-memory.dmp

memory/3080-23-0x0000000004D80000-0x0000000005324000-memory.dmp

memory/3080-24-0x00000000025B0000-0x0000000002616000-memory.dmp

memory/3080-32-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-52-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-88-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-86-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-84-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-82-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-80-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-78-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-76-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-74-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-72-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-70-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-68-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-64-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-62-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-60-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-59-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-56-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-54-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-50-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-48-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-46-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-44-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-42-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-40-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-38-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-36-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-34-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-30-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-28-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-26-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-66-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-25-0x00000000025B0000-0x000000000260F000-memory.dmp

memory/3080-2105-0x0000000002770000-0x00000000027A2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5192-2118-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/5192-2119-0x0000000000C70000-0x0000000000C76000-memory.dmp

memory/5192-2120-0x0000000005360000-0x0000000005978000-memory.dmp

memory/5192-2121-0x0000000004E50000-0x0000000004F5A000-memory.dmp

memory/5192-2122-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/5192-2123-0x0000000004D80000-0x0000000004DBC000-memory.dmp

memory/5192-2124-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492858.exe

MD5 55426347a75c2151a60e9204cc5c2b3f
SHA1 4cbd3e9bfec7f553df1fe123096fc7e933760a22
SHA256 6d022204ef23fe17290444e98c7aed2b73e40a5d832690731497c5f6974491b8
SHA512 0d8c9d689a35456ec9b5945c855af6bfc94f1f24dd069d96105d74fba95d1b851af05ba3213dbd8f9d096a699b8a58d8e8fb84cc7638fce483e999c7cffbcc54

memory/5592-2129-0x0000000000120000-0x0000000000150000-memory.dmp

memory/5592-2130-0x00000000022D0000-0x00000000022D6000-memory.dmp