Malware Analysis Report

2025-01-23 06:42

Sample ID 241107-d3jafaxjfq
Target 93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09
SHA256 93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09

Threat Level: Known bad

The file 93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Redline family

RedLine

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 03:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 03:31

Reported

2024-11-07 03:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe
PID 4780 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe
PID 4780 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe
PID 5036 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe
PID 5036 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe
PID 5036 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe
PID 5036 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe
PID 5036 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe
PID 816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe C:\Windows\Temp\1.exe
PID 816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe C:\Windows\Temp\1.exe
PID 816 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe C:\Windows\Temp\1.exe
PID 4780 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe
PID 4780 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe
PID 4780 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe

"C:\Users\Admin\AppData\Local\Temp\93dee9c0304fb5f8ca00227b7463ceb2123a1a2d6b3cb0cfe4c999ceec5f6c09.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1336

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipw4396.exe

MD5 da15ac6357a4e28e748edf3361423ebf
SHA1 bd2525148674166b32c696bd8b0daa51790f93a2
SHA256 da9c168806fc1d959305acaf999d605a563866f35402a7a00a25bfb1303970d1
SHA512 e6895978e47cf39409dae03b6f1863da78b71be39faf87559505a1aa1f2c1d0b596e27a2ef32be2e64a6058214d1ae6376501a86317362c9dafbe3b924626c73

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr984812.exe

MD5 2465b39ddcc6775a44ffc283b87efbfc
SHA1 eb3fbff40ac2dec0a5694762bb55abb0628d9738
SHA256 8ae301290074c5dc766abbd0767cfc3a4e88b5aca9a635c2ad5e2ea5b01f79c6
SHA512 e33a5d4203461889074717989c904a1f267358819cd62b42d5d3210325456f5928475eced5005c007a26d99f31069f5db9bf20309192336f3fe2ec1350c88eb3

memory/4312-14-0x00007FFF47CF3000-0x00007FFF47CF5000-memory.dmp

memory/4312-15-0x00000000001A0000-0x00000000001AA000-memory.dmp

memory/4312-16-0x00007FFF47CF3000-0x00007FFF47CF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku336199.exe

MD5 5a37beb14d4d44925ee5bc48d3d3a003
SHA1 ef91df53a46c220584e573795e51c088e7a4cf5d
SHA256 2479ba1424bd1cca4d7462ab7cacfb9f8f1118390f3e74c44ce6a0fd1a6acac0
SHA512 d84d52f0c2665148c55414f6ed42e740f07fbe080ee9ce4a35f1937850e8f92a3ae81d74d6cb676040bb062e569bafb62c009c88a1438aa71487b27eb91de8ae

memory/816-22-0x0000000004BD0000-0x0000000004C36000-memory.dmp

memory/816-23-0x0000000004DB0000-0x0000000005354000-memory.dmp

memory/816-24-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/816-38-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-36-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-60-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-88-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-86-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-82-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-80-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-78-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-76-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-74-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-72-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-70-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-66-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-64-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-63-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-56-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-54-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-52-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-50-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-46-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-44-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-42-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-40-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-84-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-68-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-58-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-48-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-34-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-32-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-30-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-28-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-26-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-25-0x0000000004C40000-0x0000000004C9F000-memory.dmp

memory/816-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/2252-2118-0x00000000008E0000-0x0000000000910000-memory.dmp

memory/2252-2119-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

memory/2252-2120-0x000000000ACB0000-0x000000000B2C8000-memory.dmp

memory/2252-2121-0x000000000A7A0000-0x000000000A8AA000-memory.dmp

memory/2252-2122-0x000000000A690000-0x000000000A6A2000-memory.dmp

memory/2252-2123-0x000000000A6B0000-0x000000000A6EC000-memory.dmp

memory/2252-2124-0x0000000004C90000-0x0000000004CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816904.exe

MD5 1a712b7c565bb6395421b1c4b7393cd6
SHA1 f40e437f768426581f7bded8d5bf515bbc2f77e1
SHA256 b0a8cb3f070c42db4eefbc70d5f197cb99ffe9e5622d6933983d4d7e2abcd146
SHA512 e48c6b451a3d27646fdf59fe8f3ac857d0497c62d56af46e1a10e1c21df4022f85cfb423f9fb3d46559ea97939d342085b422e7cb9413822ef5c112b4f46f6ea

memory/1436-2129-0x0000000000880000-0x00000000008B0000-memory.dmp

memory/1436-2130-0x0000000000F40000-0x0000000000F46000-memory.dmp