Malware Analysis Report

2025-01-23 07:04

Sample ID 241107-bgap3a1kd1
Target 815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f
SHA256 815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f

Threat Level: Known bad

The file 815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 01:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 01:06

Reported

2024-11-07 01:09

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe
PID 636 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe
PID 636 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe
PID 4936 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe
PID 4936 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe
PID 4936 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe
PID 4936 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe
PID 4936 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe
PID 544 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe C:\Windows\Temp\1.exe
PID 544 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe C:\Windows\Temp\1.exe
PID 544 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe C:\Windows\Temp\1.exe
PID 636 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe
PID 636 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe
PID 636 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe

Processes

C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe

"C:\Users\Admin\AppData\Local\Temp\815a52842ea4bda83535188bfdd4555fc5838c6534158251d2aa9983fc11666f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1504

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidu3478.exe

MD5 ac583e394d181425fd2266e6c1796578
SHA1 d8dbebd8e6ccc11bf746d93b8daac8a5497f933d
SHA256 134ff000f678e47c0bccdc36670cc57f31e11d898965c84d9c972613699c953c
SHA512 c145407f17ffb795829ed5955abcdbd6179f2a52d724b91afeafd504b11bfd360462002ea40e42207f2d8bedbff0cfea5daa90b16e02a5bac8428487cdb586c6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr803370.exe

MD5 086bcb0c49192e6fd2202ef413dae698
SHA1 8017dad4f0788f2f637786c7258438e12e930c9f
SHA256 73af6bff1bc5973672e50a5d98231f399384fb083384cdfa1ea2799321b72515
SHA512 e8f345620e2feda80f39c3aad355cca98ee21e867a81dce95fe95abf002a3a2db9e4b593e4c89c6cccfd7c354b85fd95d4edcef95a8bf7af8dae0dbd5023b8ac

memory/2916-14-0x00007FF9E7FE3000-0x00007FF9E7FE5000-memory.dmp

memory/2916-15-0x0000000000320000-0x000000000032A000-memory.dmp

memory/2916-16-0x00007FF9E7FE3000-0x00007FF9E7FE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku065908.exe

MD5 b145aa794ba6e742eabfa1c53f5c7cba
SHA1 dcda199246dedf156e2008fcd218124b8b85e434
SHA256 0fc2316addc08895e4c56a7cb57941339c9c91e16b96eacb5620dd544cfdb512
SHA512 ec42e638722e2e9e53522c700841861e89411f6ec3d304c828cedba1fcfa930e05f057ad5a214ba94a6adeacf73da954a715c5407efacc75d1c05e1e7a1d2077

memory/544-22-0x0000000002510000-0x0000000002576000-memory.dmp

memory/544-23-0x0000000004CC0000-0x0000000005264000-memory.dmp

memory/544-24-0x0000000002590000-0x00000000025F6000-memory.dmp

memory/544-34-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-41-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-88-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-86-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-82-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-78-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-76-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-74-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-72-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-70-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-68-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-66-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-64-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-62-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-60-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-58-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-54-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-52-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-51-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-46-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-44-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-42-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-38-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-36-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-32-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-30-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-28-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-26-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-84-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-80-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-56-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-48-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-25-0x0000000002590000-0x00000000025EF000-memory.dmp

memory/544-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5684-2118-0x0000000000B40000-0x0000000000B70000-memory.dmp

memory/5684-2119-0x00000000014D0000-0x00000000014D6000-memory.dmp

memory/5684-2120-0x0000000005AB0000-0x00000000060C8000-memory.dmp

memory/5684-2121-0x00000000055A0000-0x00000000056AA000-memory.dmp

memory/5684-2122-0x00000000054C0000-0x00000000054D2000-memory.dmp

memory/5684-2123-0x0000000005520000-0x000000000555C000-memory.dmp

memory/5684-2124-0x00000000056B0000-0x00000000056FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr764423.exe

MD5 0e2e03f913722193a4e324cf172c079c
SHA1 caa729946146a3a97cfe09f64e1496d928a85c4d
SHA256 74d52e17e634b5d111afd9f25c4843477796856ea6263d15016977e27f4a221f
SHA512 3513cf0d80c18226e63642bd0fd6a59305719053d085875f4b7b5fee493230c10980adcb2960279a4697ca9bd6cf74fcef2a761a6e61a2951aad70e4865fa6dd

memory/1520-2129-0x0000000000530000-0x0000000000560000-memory.dmp

memory/1520-2130-0x0000000002740000-0x0000000002746000-memory.dmp