Malware Analysis Report

2025-04-03 09:05

Sample ID 241107-apcnyszpey
Target f24fd1aa0ef5d941b90d779fb2fde19e3f9893021603df3eb602849ad5810c9b
SHA256 f24fd1aa0ef5d941b90d779fb2fde19e3f9893021603df3eb602849ad5810c9b
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f24fd1aa0ef5d941b90d779fb2fde19e3f9893021603df3eb602849ad5810c9b

Threat Level: Known bad

The file f24fd1aa0ef5d941b90d779fb2fde19e3f9893021603df3eb602849ad5810c9b was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 00:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 00:22

Reported

2024-11-07 00:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe
PID 4884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe
PID 4884 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe
PID 2044 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe
PID 2044 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe
PID 2044 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe
PID 5024 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe
PID 5024 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe
PID 5024 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe
PID 380 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe
PID 380 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe
PID 380 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe
PID 380 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe
PID 380 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe

"C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe

MD5 6460267f9295a18d677fb2f5b558ed7c
SHA1 78eb4c5f1043b3b8eae80fb73d3083c75d09516c
SHA256 ccc74947c79a707e67452eb08f0a567018fc9b72438133808b40b5668e5885a5
SHA512 a877806aa102cff46a3bf0c18a3841f288aa6087d18ed3f03e0306bc9f89b0ea6d644c60f463528c8fef81a22e0dad6300f7db2ab348a151d26745bb024db43d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe

MD5 6e639fb4dd2b20f2b3e46a0d9930fdf6
SHA1 232ced981959a4cfb0d639ff0f94e6ce2c599ca4
SHA256 82e358692e5f29f1fab7f61741eebb77c29134310c06c9b001c72ec58c25c937
SHA512 75dda6cbf4fd73520a5c79fc532c5fa4931d19338c13527b7ab177e16ee682961b806a2e40ce2eb1e72b0276d9f698dc46211734942d4712c9dee2e5deddd9dc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe

MD5 122607517a0ee805086508e65ef2c3a7
SHA1 dedacf4c77a5655f0da38f0ca2ffbc9ca1429846
SHA256 7d7ff7365a006eebdab189c3c4d17e67c2080b27f4ba8d6eecb553fbcf27b57b
SHA512 ee02dcf38ee2ed58844e7442bf254838a843a3eeeea7c9dce6b80be464691ae9b59198cd8d0002aa6cd8878bd6ed330010a95ee4093df4ae82f3e29b2a1ec9cf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe

MD5 2d573d483075cfa25385b0cc73af87bd
SHA1 0c68fc1baa8e2b15c72ed4d4a6e4a6d618318196
SHA256 9b742919671663d980f9471d1f2b2891602d919182ae1909d4f00dba5e0f3ed1
SHA512 158f2b046df4cb29a4d17c4454cf73c4bd12ba5654d4bffe21813abba5b39e3bb12929b9d1bc78dd812c786129b42bbb559f8a19d444266a56be744c0d7bbe58

memory/1360-28-0x0000000000A10000-0x0000000000A1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe

MD5 b0b94e2c2b7fcb269bf95b62cc9b065b
SHA1 538d87b1ccae12796ed59ee2b407a5e19fce17ed
SHA256 b99491d4afd199d95ff54c83be16a8e91f7a25299ac3b592e0e563b7798dd578
SHA512 ee8c0a033e9decaae0f9de9e67907feca5de84f3ef300e34e8de8871bf37fe1d21b4e1922c1989cece049e988aa2c1410953a1951277466daf572723e4c42b25

memory/4060-34-0x00000000049D0000-0x0000000004A16000-memory.dmp

memory/4060-35-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/4060-36-0x0000000004D70000-0x0000000004DB4000-memory.dmp

memory/4060-44-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-46-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-66-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-70-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-100-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-98-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-96-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-94-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-92-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-90-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-88-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-86-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-84-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-82-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-80-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-78-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-76-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-74-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-72-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-68-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-64-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-62-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-60-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-58-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-56-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-54-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-52-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-50-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-48-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-42-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-40-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-38-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-37-0x0000000004D70000-0x0000000004DAF000-memory.dmp

memory/4060-943-0x00000000077E0000-0x0000000007DF8000-memory.dmp

memory/4060-944-0x0000000007E80000-0x0000000007F8A000-memory.dmp

memory/4060-945-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

memory/4060-946-0x0000000007FE0000-0x000000000801C000-memory.dmp

memory/4060-948-0x0000000008130000-0x000000000817C000-memory.dmp