Malware Analysis Report

2025-01-23 06:42

Sample ID 241106-wqzqrstqay
Target 642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4
SHA256 642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4

Threat Level: Known bad

The file 642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Healer

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 18:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 18:08

Reported

2024-11-06 18:10

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe
PID 3956 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe
PID 3956 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe
PID 2824 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe
PID 2824 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe
PID 2824 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe
PID 2824 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe
PID 2824 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe
PID 4344 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe C:\Windows\Temp\1.exe
PID 4344 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe C:\Windows\Temp\1.exe
PID 4344 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe C:\Windows\Temp\1.exe
PID 3956 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe
PID 3956 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe
PID 3956 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe

Processes

C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe

"C:\Users\Admin\AppData\Local\Temp\642e506ef25c299f37d2549594069bae826f2b60d62e3ecd202357790ea739b4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAf7189.exe

MD5 45d0c064a4f0e23d30483f33e52e5d48
SHA1 c7fedbb3aee61e3c018ac78000bae41ea6076041
SHA256 a1380fb5eff71d14bea42ab0c0ca7043121e417b4d5df78a103fb35085019bdd
SHA512 ece50a6992db1597516d7852fba77e46993d6500262e46acdb210671ec914592dfcf99e671b7a23a371399f5062c6583d485313baefe913c3f1d8d69b1224ab9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr076780.exe

MD5 570743ecbe8ffeb53f4cf8601ef86b5d
SHA1 edb13ac456b0e2776aa70346542a96393e7e1d02
SHA256 7e7d916ff0629fac6fa399859c2d3a7c4cf1c76aee8a4e1d8f3edafd3be8778f
SHA512 76d40bca0518cf95cf3f94873ce9917c7af2f18caf584ddf3de76c9cd933f06b527f1afe5b4606140a877b514c8eeb106c9c957c9e786a7c59f144dae2bb11ce

memory/4988-14-0x00007FFCC7A63000-0x00007FFCC7A65000-memory.dmp

memory/4988-15-0x00000000006B0000-0x00000000006BA000-memory.dmp

memory/4988-16-0x00007FFCC7A63000-0x00007FFCC7A65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku038204.exe

MD5 ccced93e7e6cd52aa8a4cf7a4c918306
SHA1 73d680f358f3d09e08c8c740f96448b920c23cc9
SHA256 4083218236be316478596163b20a0103432ed4aeaa6c396341c1780d6bf8bedd
SHA512 d5c9f5f9838c7ee3a01babe703d8409c8e5eecc76e003c6df1f6a2fbb61dfb81494799b322d070c5529c49b8d2d59ff1e842bc7398cac9e9fcfbced8cf1866a1

memory/4344-22-0x0000000002630000-0x0000000002696000-memory.dmp

memory/4344-23-0x0000000004DD0000-0x0000000005374000-memory.dmp

memory/4344-24-0x0000000004D40000-0x0000000004DA6000-memory.dmp

memory/4344-36-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-42-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-88-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-86-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-84-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-80-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-78-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-76-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-72-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-68-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-66-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-64-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-62-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-60-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-58-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-54-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-52-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-50-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-48-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-46-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-44-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-40-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-38-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-34-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-32-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-30-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-28-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-82-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-74-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-70-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-56-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-26-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-25-0x0000000004D40000-0x0000000004D9F000-memory.dmp

memory/4344-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3480-2118-0x0000000000BF0000-0x0000000000C20000-memory.dmp

memory/3480-2119-0x0000000001500000-0x0000000001506000-memory.dmp

memory/3480-2120-0x0000000005B70000-0x0000000006188000-memory.dmp

memory/3480-2121-0x0000000005660000-0x000000000576A000-memory.dmp

memory/3480-2122-0x0000000005570000-0x0000000005582000-memory.dmp

memory/3480-2123-0x00000000055D0000-0x000000000560C000-memory.dmp

memory/3480-2124-0x0000000005770000-0x00000000057BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr825938.exe

MD5 7f19e816ffbba26c3d1aa0c6b24343dd
SHA1 67973a7cf930a71638efe55fe69257bdee069214
SHA256 5b803fb259385527d366a9743acc779798926c1395bf9913e4aff4f08bd3e442
SHA512 1d1e943ef4d0cc9f7c8dc7ccc2c5afbbddc0381ca2e4165ba19243229b8940a1021c3185ca56b250b831f1b753b880a4338e3602e1cc1d3ac023231f4082852b

memory/1172-2129-0x0000000000490000-0x00000000004C0000-memory.dmp

memory/1172-2130-0x00000000009E0000-0x00000000009E6000-memory.dmp