Malware Analysis Report

2025-01-23 06:00

Sample ID 241107-c2f81stfqq
Target ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69
SHA256 ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69

Threat Level: Known bad

The file ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:34

Reported

2024-11-07 02:36

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe
PID 1872 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe
PID 1872 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe
PID 3276 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe
PID 3276 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe
PID 3276 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe
PID 3184 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe
PID 3184 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe
PID 3184 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe
PID 3184 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe
PID 3184 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe
PID 1144 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe C:\Windows\Temp\1.exe
PID 1144 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe C:\Windows\Temp\1.exe
PID 1144 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe C:\Windows\Temp\1.exe
PID 3276 wrote to memory of 5512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe
PID 3276 wrote to memory of 5512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe
PID 3276 wrote to memory of 5512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe

"C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe

MD5 8e553773aa18e58e87ab5599223d22eb
SHA1 15a9dbec5f96a0ae27c2bfa06ac303e496c3124d
SHA256 0d52c22c3d8cee989c38fdefd93a66fdfaeff249e2074254ef3944de1bd29020
SHA512 6ba6914fdf64ff414f1cf5b2e2707875e1655d1d70db004a60e965a33d6476bd813760c71408b61cace7f79dc3b8cd1065cf658957d505b9af972d448888a81b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe

MD5 2134c6b814b039e9b0149274a873de82
SHA1 1d9847f5516d14a12d846700ed434c4fb3daec40
SHA256 d0c8f298046e595d87008916c226201f6b4d9e8f6d03c6bf6b4fd18b9a346ebc
SHA512 cc20f440d6e6710b5e32d0b34e77d5b0eabbfcb22661a0f8cd6eb0eed741bc49bd9beb9c0b93ffbbb0cb8dbcf8ae2df242a701813fc2ebdd91d9d77251260027

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe

MD5 d6a68f1f4d9196c62a22c45bfcd81d1f
SHA1 c50e566d21576d0c2c3f24b4bcc41e4cf5337fec
SHA256 f2618bcf4048c4546f76f805f2c7c8da49b37038eaec6514125a63783dac432e
SHA512 3ab6fea14a937eed4b8ad0111635ded2a039be2b0575eb9167c74d9d74cc2cddc101e63deab1ae85cd3eb8796c893ee422e444f9b5e4e48f1107a864d5ebb13b

memory/1380-21-0x00007FF99CD33000-0x00007FF99CD35000-memory.dmp

memory/1380-22-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

memory/1380-23-0x00007FF99CD33000-0x00007FF99CD35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe

MD5 ee8fff59c990bb7b24622197661a272d
SHA1 40d1b8fea7ecfcfc99cf344d7366c5652ec6fcfa
SHA256 4117daa21221afaccc409f06d776d06417e705edbd8a4821b819ba872ac994da
SHA512 e29cdafd9b2531ab4aec3d81245be46e394a0763b20f33ae8c053724ee9969ac932f7afd79589c4029afc9bd2bfe1d3b1abea2f319470db2ddb3cadc4bc255b2

memory/1144-29-0x0000000004F20000-0x0000000004F88000-memory.dmp

memory/1144-30-0x0000000004F90000-0x0000000005534000-memory.dmp

memory/1144-31-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/1144-87-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-71-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-49-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-95-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-93-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-91-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-89-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-85-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-83-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-81-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-79-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-77-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-75-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-73-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-69-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-67-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-66-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-63-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-61-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-59-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-58-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-55-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-53-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-51-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-47-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-45-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-44-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-41-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-39-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-37-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-35-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-33-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-32-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/1144-2174-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5452-2187-0x0000000000520000-0x000000000054E000-memory.dmp

memory/5452-2189-0x0000000004E00000-0x0000000004E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe

MD5 e8a42884bd8abe9d58e9489fffefd238
SHA1 a319bf07f298587ed16d26304d98472898abb7c0
SHA256 a51a490c6f4f6a63f30f1bb921db5a1f16040810d4be9eb0c65317b870293cfe
SHA512 7a64af47af2bdc20576ae259d50d0e22ebba4a867e323d5aa677a03a26cb006a6f2e0204bb12eee70653ea7563b752e6a3ff8a4a67dce368c91fe1b63e09fe88

memory/5512-2193-0x0000000000440000-0x0000000000470000-memory.dmp

memory/5512-2194-0x0000000000D80000-0x0000000000D86000-memory.dmp

memory/5452-2195-0x0000000005480000-0x0000000005A98000-memory.dmp

memory/5452-2196-0x0000000004F70000-0x000000000507A000-memory.dmp

memory/5512-2197-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

memory/5512-2198-0x0000000004E30000-0x0000000004E6C000-memory.dmp

memory/5512-2199-0x0000000004E70000-0x0000000004EBC000-memory.dmp