Malware Analysis Report

2025-01-23 06:00

Sample ID 241107-cha8na1rhz
Target fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459
SHA256 fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459

Threat Level: Known bad

The file fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459 was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:04

Reported

2024-11-07 02:06

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe
PID 4692 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe
PID 4692 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe
PID 5084 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe
PID 5084 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe
PID 5084 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe
PID 2276 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe
PID 2276 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe
PID 2276 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe
PID 2276 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe
PID 2276 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe
PID 1052 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe C:\Windows\Temp\1.exe
PID 1052 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe C:\Windows\Temp\1.exe
PID 1052 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe C:\Windows\Temp\1.exe
PID 5084 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe
PID 5084 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe
PID 5084 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe

"C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1052 -ip 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe

MD5 2f0c3b3cfc1515719af07cf90f4892f2
SHA1 ec355d090cc3a60238bab1fa7c210ded3044315f
SHA256 6de6b8062ec89af8fef628ddd91174e80b3dacbd43cb7180dbdcbc8a7e63e775
SHA512 a8c24c66c632054acce6d04c53682f8365fee57cbbc566294b883499c71fdadaad2d7cae9f1ff8cc64b6183bd18b0ff735d12b189a0c31973d73b30e97525a5f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe

MD5 ab2b4133f8bdc72165110ec8ecad1316
SHA1 1bc85196c64ce77d4263cdabc5cf9413cb090106
SHA256 d37053abae8150fdf5b71c764b63e6d436ace9c1dd4504df48d74e1ca459008c
SHA512 c4eed5debfb7e1f2399ebfee071528edac247a327815b5158724d739be6f2ea69dca149b55519bc4f89a5a3ed6795daf9281560fff930241253235bf7f289e80

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3844-21-0x00007FFD4EE03000-0x00007FFD4EE05000-memory.dmp

memory/3844-22-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

memory/3844-23-0x00007FFD4EE03000-0x00007FFD4EE05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe

MD5 2b471f30b694f45aec51cdea2c208f27
SHA1 a96e1653f63afa3d6a9bdfeb81f59e73113702d3
SHA256 95200802f814a58701696eecae05349f90b7c7d1be752073f4c49204c04e2e60
SHA512 235eb8fc430700e81d2cc38676fbb5c5c913897aec53fa6dabfd75414af36b60c628779cee1b1c40c2a77b32d4e6679812a85dda2caca39ee1bedfd6aa1b4d2f

memory/1052-29-0x0000000004B80000-0x0000000004BE8000-memory.dmp

memory/1052-30-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/1052-31-0x0000000004BF0000-0x0000000004C56000-memory.dmp

memory/1052-43-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-45-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-95-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-93-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-91-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-89-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-87-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-83-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-81-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-79-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-77-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-76-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-73-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-71-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-69-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-67-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-65-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-63-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-61-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-57-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-55-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-53-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-51-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-49-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-47-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-41-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-39-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-37-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-85-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-59-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-35-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-33-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-32-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1052-2174-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/3112-2187-0x0000000000A70000-0x0000000000A9E000-memory.dmp

memory/3112-2188-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

memory/3112-2189-0x0000000005A40000-0x0000000006058000-memory.dmp

memory/3112-2190-0x0000000005530000-0x000000000563A000-memory.dmp

memory/3112-2191-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/3112-2192-0x0000000005460000-0x000000000549C000-memory.dmp

memory/3112-2193-0x00000000054A0000-0x00000000054EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe

MD5 aa8bb998c46f60bacf91f98f8d4d7b5c
SHA1 61c7e314d916035128849f85a29b34ac1fb482e0
SHA256 7e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131
SHA512 3e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7

memory/4588-2198-0x0000000000A80000-0x0000000000AB0000-memory.dmp

memory/4588-2199-0x0000000001270000-0x0000000001276000-memory.dmp