Malware Analysis Report

2025-01-23 06:42

Sample ID 241107-acazla1cne
Target 3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712
SHA256 3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712

Threat Level: Known bad

The file 3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Healer family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 00:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 00:03

Reported

2024-11-07 00:07

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe
PID 1052 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe
PID 1052 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe
PID 3092 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe
PID 3092 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe
PID 3092 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe
PID 3092 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe
PID 3092 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe
PID 2256 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe C:\Windows\Temp\1.exe
PID 2256 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe C:\Windows\Temp\1.exe
PID 2256 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe C:\Windows\Temp\1.exe
PID 1052 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe
PID 1052 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe
PID 1052 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe

"C:\Users\Admin\AppData\Local\Temp\3863291868054be94733924f6e5249f3bbeb109aea8e82d9e15643e523de0712.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOO2961.exe

MD5 64ca4ea8c7f5eaaf92f0d58213d0df56
SHA1 f634998324c127bdfd28472b6aa8addd84b1d66b
SHA256 a9ff126bc4f7dd9d019dacd11b93bdf70594331a0fc5cd60ca5b43a434fff49d
SHA512 f3d8907a30eff9f40975119cf6af1d6d7a29c567a2b08b0242b6eef25d7a979f63bcb4a05d2ca7e41635719761ef75d33964a1b4825598ffbd912a214fb599fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr460901.exe

MD5 c217dfd5d946b22c94f85f2e543e5a18
SHA1 7092cfc9221d9d3f66e1060b82f1b525f0026673
SHA256 ff6074e100a3f33137bb4c191d4b50e6e16efd954cb767798289e07acd92b96f
SHA512 c8e281b50f5209d7bc3733466a150d07e83d36cc3beeef0912bfa1e313f0da40c76cb7e006cf821adf38f9cc0170e31cb9890c349f87baaf680a11991398db83

memory/3464-14-0x00007FFA380A3000-0x00007FFA380A5000-memory.dmp

memory/3464-15-0x0000000000E20000-0x0000000000E2A000-memory.dmp

memory/3464-16-0x00007FFA380A3000-0x00007FFA380A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku193118.exe

MD5 65050e357a2e5f3607ac4a450cd04b3e
SHA1 15376b9da670af169d43707a1ff2b02bb90bd96b
SHA256 d52060fb974ca89cd73221139781ecf2d04e447906513ee09da2f6298e67c51d
SHA512 29154275d5167b986feee3c70eafd729c5b5211ad4e3eee85e1548ffad491c5b09e1cf2ab8034fbc3cd394ff107fac22564a93b6ca6f060f5b16a6349dceb3cc

memory/2256-22-0x0000000002590000-0x00000000025F6000-memory.dmp

memory/2256-23-0x0000000004DE0000-0x0000000005384000-memory.dmp

memory/2256-24-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/2256-38-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-50-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-54-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-62-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-60-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-58-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-56-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-52-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-48-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-46-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-44-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-42-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-40-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-36-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-72-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-82-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-88-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-86-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-85-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-80-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-78-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-76-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-74-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-70-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-68-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-66-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-64-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-35-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-32-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-30-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-28-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-26-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-25-0x0000000005390000-0x00000000053EF000-memory.dmp

memory/2256-2106-0x0000000005560000-0x0000000005592000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/3484-2119-0x00000000003B0000-0x00000000003E0000-memory.dmp

memory/3484-2120-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

memory/3484-2121-0x00000000053C0000-0x00000000059D8000-memory.dmp

memory/3484-2122-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

memory/3484-2123-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/3484-2124-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

memory/3484-2125-0x0000000004DE0000-0x0000000004E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr746091.exe

MD5 97b3cfb379fbd7a66f11324dfb1f0d7f
SHA1 c64de698e0a1325f3b16159409ec98866a1483c5
SHA256 1ad0b224cf7cfbcab73494643efe36c5b6e0fecd87d96d0b88f55397f7984666
SHA512 09d1eb6ccbb3b5dc58261dd0b7b45975aa1220b0a6aaac0314fccebd324b44fff48d6f14639d37a6a4b60d00e18dcd195161b2349824abb74fa34c3671c62cb1

memory/4296-2131-0x00000000003F0000-0x0000000000420000-memory.dmp

memory/4296-2132-0x0000000000B70000-0x0000000000B76000-memory.dmp