Malware Analysis Report

2025-01-23 06:42

Sample ID 241107-a9mpnatper
Target f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377
SHA256 f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377

Threat Level: Known bad

The file f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer family

Redline family

RedLine

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 00:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 00:54

Reported

2024-11-07 00:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe
PID 1516 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe
PID 1516 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe
PID 4600 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe
PID 4600 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe
PID 4600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe
PID 4600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe
PID 4600 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe
PID 1132 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe C:\Windows\Temp\1.exe
PID 1132 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe C:\Windows\Temp\1.exe
PID 1132 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe C:\Windows\Temp\1.exe
PID 1516 wrote to memory of 5692 N/A C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe
PID 1516 wrote to memory of 5692 N/A C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe
PID 1516 wrote to memory of 5692 N/A C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe

"C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1132 -ip 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1184

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe

MD5 bddef72ee2387bccb03840674c73bf59
SHA1 6083c110bce76b84b826b7bfb1c31a76b1453397
SHA256 cb945f71becf147765c507a1b8dd035ad69064a7f8905bb4e3a20d12d8e4994b
SHA512 aa618a9f2a2a0f43f511b575a9d4de729137e01a7af745ee086eee21bd2fe6225bb7708c1b72f5c7ca80acd07e0678a406f273b64327fa88fda455894f28ecb3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe

MD5 aaf6b2789f35078e79e790a47f4ca9e1
SHA1 da53df13eae11a065840d9f6d22d0d87b80092f5
SHA256 cf78d8173926035b980dabb4cf474206ab90b822e0b600ca19949402640f3206
SHA512 3151835cbab306a05333b702a7ecddcba0dd98e62fde40daa20d8dd15afa3467dd391dafca373e700e6a54921c5d8dd53fef59500453002d894e538b91a37666

memory/4564-14-0x00007FF867FA3000-0x00007FF867FA5000-memory.dmp

memory/4564-15-0x0000000000A80000-0x0000000000A8A000-memory.dmp

memory/4564-16-0x00007FF867FA3000-0x00007FF867FA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe

MD5 6dcc75827dc042246e63ea0fc2d9fb36
SHA1 5dc61f99234156e6153709f4cc3bb520f055e149
SHA256 551b7deb3521a31e6cd26466096b9deeb536368668487d2924c4bc457e3d2dfa
SHA512 a99ea4081ff79fa8e6b76e32877ee32f7e3fac8258882b14f3bcc1e4d12eb4d64d5f9fc40b12021a69b7a9ec6d19db70276462050643478a8555e2ad63a1747c

memory/1132-22-0x0000000002800000-0x0000000002866000-memory.dmp

memory/1132-23-0x0000000004DD0000-0x0000000005374000-memory.dmp

memory/1132-24-0x0000000002790000-0x00000000027F6000-memory.dmp

memory/1132-25-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-52-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-88-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-86-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-84-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-82-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-80-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-76-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-74-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-72-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-70-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-68-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-66-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-64-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-62-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-60-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-58-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-56-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-50-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-49-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-46-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-44-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-43-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-40-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-38-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-36-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-35-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-32-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-30-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-28-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-26-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-78-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-54-0x0000000002790000-0x00000000027EF000-memory.dmp

memory/1132-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3424-2118-0x0000000000EB0000-0x0000000000EE0000-memory.dmp

memory/3424-2119-0x00000000015D0000-0x00000000015D6000-memory.dmp

memory/3424-2120-0x0000000005EC0000-0x00000000064D8000-memory.dmp

memory/3424-2121-0x00000000059B0000-0x0000000005ABA000-memory.dmp

memory/3424-2122-0x0000000005720000-0x0000000005732000-memory.dmp

memory/3424-2123-0x00000000058A0000-0x00000000058DC000-memory.dmp

memory/3424-2124-0x00000000058E0000-0x000000000592C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe

MD5 057c822caf3c0dd1e31c09a8ad6c0393
SHA1 6770d652d30ce8229d9d0f6a5efcff9ef67b7be9
SHA256 d41f9f43f1df193508928b40495ed4f6125ce185b1ace5346d255b4c1c649168
SHA512 4c7a5c28ed00bb13bd52d72ee349bbea23623653394e533d33060703c107cd8d5f890e90d25cba1a1a7ef8a199c570340731ee581d9c70e862d9a80c531e6c1c

memory/5692-2129-0x0000000000950000-0x0000000000980000-memory.dmp

memory/5692-2130-0x0000000002B00000-0x0000000002B06000-memory.dmp