Malware Analysis Report

2025-04-03 09:05

Sample ID 241107-dw2hfatlc1
Target 53165157615893f959f6ed608a2fe2f8e6b28a166c9bf7af58401dff275a05f3
SHA256 53165157615893f959f6ed608a2fe2f8e6b28a166c9bf7af58401dff275a05f3
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53165157615893f959f6ed608a2fe2f8e6b28a166c9bf7af58401dff275a05f3

Threat Level: Known bad

The file 53165157615893f959f6ed608a2fe2f8e6b28a166c9bf7af58401dff275a05f3 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Redline family

Healer

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 03:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 03:22

Reported

2024-11-07 03:24

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe
PID 2620 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe
PID 2620 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe
PID 1168 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe
PID 1168 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe
PID 1168 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe
PID 3192 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe
PID 3192 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe
PID 3192 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe
PID 3900 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe
PID 3900 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe
PID 3900 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe
PID 4388 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe
PID 4388 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe
PID 4388 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe
PID 4388 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe
PID 4388 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe

"C:\Users\Admin\AppData\Local\Temp\73ff1293ad80816df1c0c838e593162b0b7561e0939331ce6a86f56dbd50ed7e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOk14vH.exe

MD5 537bf12311237f65d2540f3483fa7d7a
SHA1 a25ec1679ca512b6b0a873a56a6f55f9f939314f
SHA256 4a10c62c5b38a8184c7d4ba1abdc3d13a76039377db6c100a4f90ae8fbf71932
SHA512 03ce334796f5ffe3b52670997081f90b5e88e562073df7a8e1222e063c49e3fc4e1b4f2a96a07b9f2b6a3dc41394b29ee2c1e717c509162ee4b66fe123ba74cc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nkw05Qk.exe

MD5 c64e469f947c797f946d44f6476706ed
SHA1 c7766cc39c079676ac065130d244aa6f37706450
SHA256 df8012e49077ea9e940b190c1f87bbe3f98341ab1854c37dcd4f1807a1105619
SHA512 0b1baa67971c80615527e85f78e858af9940685689430c0b68d04a35ac4c06e62d4304c2ffe764040e8428eb65892e2a9add21512dc93ba39068e8ddd154bb75

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nce65MI.exe

MD5 cdce2abe933b8fa165349679815509b6
SHA1 af6b59895766dd496b795f2e772e7ba54e480c8a
SHA256 eaed1607f414546067dcf75da4fd28a335ae9d28a5be65f61bfdc202e6933d14
SHA512 726808333f0c931badb113365bc9d40c1a571add7df66c94f0f47c831b0c2fe9bd41212e1e69a0c406d9be84654b1ea9a3715a27873a4a90b4cae9330b25c30e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nbP91uE.exe

MD5 818a1155e4d616c61123c501d827da54
SHA1 0272f91476a0447cb53fafa2562968840b71916d
SHA256 fad794516a42608d52e8414dfddae7d343e3041324b1d1d37e2251d9554f87b6
SHA512 ef3326c8c949e4f08ba5268cdbea7e28a9f9e3b902003c7dd4b591a3a61d534106fc0f63233fa4a30f8b57bd302b175d2f57e001306f0418dab1a96908422584

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bFM81DT.exe

MD5 55824acf42fb4154a328b5480f94240b
SHA1 f01fb86dc0de0c4242a6b97c550785ef65d5cddb
SHA256 696a8dc95be85b1f1cd62a6381bdfc1e1b1d39a165aeb63ed42131e6ff8243fc
SHA512 99c7fa217b10f9cec883752cfe7f482e91e135af5bfcbd4754044054d8516e4e746b1d9874092224aa82f3be7fcf4f2258ae9b82e607d7199e4af1c51b81e787

memory/1700-35-0x00000000005A0000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bPA81DV81.exe

MD5 231430e854c098688aa6848702c5018e
SHA1 46a9be0ad282ff66b7de6586c6cf86ff5057651d
SHA256 c2c7ced4db7b7a5eb5960c2d518179b7798494fe893b5bb22c756a811460cdf9
SHA512 202a0ec01cdd18613c8fb423418ec0abf3382f2ea8d957c287324c23d083a7ab61fb5207c0e9c3bfb421a58f821daf81506e2ecb4d08fa2cfa993587e1e44217

memory/4792-41-0x00000000024E0000-0x0000000002526000-memory.dmp

memory/4792-42-0x0000000004D10000-0x00000000052B4000-memory.dmp

memory/4792-43-0x0000000002680000-0x00000000026C4000-memory.dmp

memory/4792-44-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-55-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-107-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-105-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-103-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-101-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-99-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-97-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-95-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-93-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-91-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-87-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-85-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-83-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-82-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-77-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-75-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-73-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-71-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-69-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-67-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-65-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-63-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-61-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-59-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-57-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-53-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-51-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-49-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-47-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-45-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-89-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-79-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/4792-950-0x00000000052C0000-0x00000000058D8000-memory.dmp

memory/4792-951-0x00000000058E0000-0x00000000059EA000-memory.dmp

memory/4792-952-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/4792-953-0x0000000005A30000-0x0000000005A6C000-memory.dmp

memory/4792-954-0x0000000005B70000-0x0000000005BBC000-memory.dmp