Malware Analysis Report

2025-01-23 06:50

Sample ID 241106-x7y18svqhv
Target 087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab
SHA256 087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab

Threat Level: Known bad

The file 087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Redline family

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 19:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 19:30

Reported

2024-11-06 19:32

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe
PID 2088 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe
PID 2088 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe
PID 4028 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe
PID 4028 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe
PID 4028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe
PID 4028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe
PID 4028 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe
PID 4824 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe C:\Windows\Temp\1.exe
PID 4824 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe C:\Windows\Temp\1.exe
PID 4824 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe C:\Windows\Temp\1.exe
PID 2088 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe
PID 2088 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe
PID 2088 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe

Processes

C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe

"C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4824 -ip 4824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe

MD5 74aa2ad44fe5491a2d7e61661a6321b0
SHA1 cd5c2bee61309a95679d837b2e88ef0b568b720a
SHA256 e2906e9d9ce43d1115378d82301ab91e870e38786879c92eafb46210dc5d4722
SHA512 bd42b4b27ae2f0770b0e9786c3ae66867b41af821963932eba21c577d6e71ce2875d87a93eb81d7597e25763a135b465d940fd8e7d9632b4f688fa3b974488bd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe

MD5 3398b5a0ee3eb29386841118072ca4eb
SHA1 cf79d470d671e62b074199f9440feed369622bb8
SHA256 6b314ae34b9179201548fe561aadd552d61f311130c4803a466eb149852d48ce
SHA512 0f51464c1aafd88cca49573164205f89f1a3143017e7d90cb3051fec7699905705dbaf2fb32bcb4d493108a12ac49b4ca6d8d0a0db68de7b9f320e15d44d0699

memory/3708-14-0x00007FFEF9B13000-0x00007FFEF9B15000-memory.dmp

memory/3708-15-0x0000000000110000-0x000000000011A000-memory.dmp

memory/3708-16-0x00007FFEF9B13000-0x00007FFEF9B15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe

MD5 0468baa382c492bdd5efc88c64db448f
SHA1 744b7f792b42e061a485308999f88c1c9123d9d2
SHA256 3c03072569ada984a766d2f8478f633cec6ed0922d9b53ef3a3dc42d96d72540
SHA512 f1795a2fcde7328515e1f8b3534764ee6509b4247677959fd7442aeb8b64a1df3978fae8f1ef21f3ac9d0b9fc3d54484df9a0648dce6c134a277c5f95b322de3

memory/4824-22-0x0000000002520000-0x0000000002586000-memory.dmp

memory/4824-23-0x0000000004E40000-0x00000000053E4000-memory.dmp

memory/4824-24-0x0000000002800000-0x0000000002866000-memory.dmp

memory/4824-26-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-34-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-88-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-86-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-82-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-80-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-78-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-76-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-74-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-72-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-70-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-68-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-66-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-62-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-60-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-58-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-56-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-54-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-52-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-50-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-48-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-46-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-44-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-40-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-38-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-36-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-32-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-30-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-28-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-84-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-64-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-42-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-25-0x0000000002800000-0x000000000285F000-memory.dmp

memory/4824-2105-0x0000000005560000-0x0000000005592000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/380-2118-0x00000000003B0000-0x00000000003E0000-memory.dmp

memory/380-2119-0x0000000002740000-0x0000000002746000-memory.dmp

memory/380-2120-0x000000000A760000-0x000000000AD78000-memory.dmp

memory/380-2121-0x000000000A250000-0x000000000A35A000-memory.dmp

memory/380-2122-0x000000000A160000-0x000000000A172000-memory.dmp

memory/380-2123-0x000000000A1C0000-0x000000000A1FC000-memory.dmp

memory/380-2124-0x0000000002530000-0x000000000257C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe

MD5 8eb8835e743254975c5da0444d46b809
SHA1 af0f9c7eae0a141fea88e329ad505914bab52e0d
SHA256 b70b7da3d614c40fd0cf9a9ebf84b053bfe283eb033d21fb15a613868a53d857
SHA512 d3f957a2aa38cfc84fb714e671b85e06d40288e2283a38404c2c6d2e23cbe3c1a55c64f51340bfdaaab2cf1ef751ef77b990c6ee69e70268f4407c0187140034

memory/424-2129-0x0000000000DE0000-0x0000000000E10000-memory.dmp

memory/424-2130-0x0000000003270000-0x0000000003276000-memory.dmp