Malware Analysis Report

2025-01-23 06:00

Sample ID 241107-ej63tstqe1
Target d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0
SHA256 d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0

Threat Level: Known bad

The file d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 03:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 03:59

Reported

2024-11-07 04:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe
PID 4076 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe
PID 4076 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe
PID 3864 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe
PID 3864 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe
PID 3864 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe
PID 2884 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe
PID 2884 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe
PID 2884 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe
PID 2884 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe
PID 2884 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe
PID 1116 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe C:\Windows\Temp\1.exe
PID 1116 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe C:\Windows\Temp\1.exe
PID 1116 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe C:\Windows\Temp\1.exe
PID 3864 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe
PID 3864 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe
PID 3864 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe

"C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe

MD5 79ae5dd82dccde59f8df629c4c679deb
SHA1 984cc968a2b9b6651f31224d01eea10b78c8bcef
SHA256 84895d1b1ef1ec9f6f8e108d64207502b76d22388107be11cf901329f639ef1d
SHA512 fd9ec0989c0fe817505a1c422502e36e73039bc345d01d263c2340e815051ebc559667721aaf32d911f75a7e0ab9a211a63cb3ab23f477938be96e45da0a1302

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe

MD5 80a83d02b627f0cc971f01f5f8fb3537
SHA1 0fada6a77092fd586d8075fc6ce56fb080effdac
SHA256 3bfbae003e3855608fe5dec6b117eff108ce1d44bdc0cf0e29ad9b66aa2e9bcf
SHA512 8dbdf19ebf6489cf99ed190368d9e05c9e76db10ab07caf78597e3aa10c6441baa5fbe99c2d27e95e43dd93d66aebb9aa4cd3706411e33a78cd2c465781a6fd0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe

MD5 9b43665fa86d1099ea442a2d72f30757
SHA1 b6e5bc76c36b2a90fb5e66e3b37c92381184c7c6
SHA256 99bf34d38b2931df778696c2f6ffe4d9483db530136ab79439fb5d9295c63648
SHA512 4f397667dfd7ab349c9d5a04b947d29cc2eee3e6ba04450b3e70a992d826b1722b5aa371d081db2b0760f7f9a327036577a21ea31e783e92284f4da59c6812f3

memory/1160-22-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/1160-21-0x00007FFD64923000-0x00007FFD64925000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe

MD5 1c6383d9183c7cc21cb7faee31aae0bb
SHA1 7576e283433896733fa78b77170da9129647eca7
SHA256 33313578eec22c0ba22abcc2673aeb7edefa0c11660cdb53a21b63572634e21d
SHA512 57830d144d358332873306f0ad26ee2502563c7e1f4190b932f19d0ad471e8b3ab2027fd035e7083dfcfef1412d7920270a72170587f05879042b5d7daf19f2f

memory/1116-28-0x0000000004EB0000-0x0000000004F18000-memory.dmp

memory/1116-29-0x0000000004F30000-0x00000000054D4000-memory.dmp

memory/1116-30-0x0000000005520000-0x0000000005586000-memory.dmp

memory/1116-90-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-78-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-58-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-48-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-46-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-44-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-42-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-40-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-38-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-36-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-34-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-32-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-31-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-94-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-92-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-88-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-86-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-84-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-82-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-80-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-76-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-74-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-72-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-71-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-68-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-66-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-64-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-62-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-60-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-56-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-55-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-52-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-50-0x0000000005520000-0x0000000005580000-memory.dmp

memory/1116-2173-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5384-2187-0x0000000000320000-0x000000000034E000-memory.dmp

memory/5384-2188-0x0000000004C40000-0x0000000004C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe

MD5 f0a769f50b612023a4abc6031dcc1e4d
SHA1 9383515026c8b4f60e22b742374225f4b7642436
SHA256 c8628f6b24334d2a3a75b74037c98d39935c13eacaadf4c082316a55bc2bedcb
SHA512 d94e09197619fd44f54b0e762aaf5c280b1da8f0f56cb8fb70cf79684af34040be8d18a618c8a4605285da0f3417534928ac7f26c17d8fb52cc68276a912fdfb

memory/2248-2192-0x00000000009B0000-0x00000000009E0000-memory.dmp

memory/2248-2193-0x00000000010F0000-0x00000000010F6000-memory.dmp

memory/5384-2194-0x0000000005280000-0x0000000005898000-memory.dmp

memory/5384-2195-0x0000000004D70000-0x0000000004E7A000-memory.dmp

memory/2248-2196-0x0000000005320000-0x0000000005332000-memory.dmp

memory/2248-2197-0x0000000005390000-0x00000000053CC000-memory.dmp

memory/2248-2198-0x00000000053E0000-0x000000000542C000-memory.dmp