Malware Analysis Report

2025-01-23 06:00

Sample ID 241107-erq2ksvgna
Target 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed
SHA256 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed

Threat Level: Known bad

The file 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Healer

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 04:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 04:10

Reported

2024-11-07 04:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe
PID 2268 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe
PID 2268 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe
PID 3224 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe
PID 3224 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe
PID 3224 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe
PID 4404 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe
PID 4404 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe
PID 4404 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe
PID 4404 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe
PID 4404 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe
PID 2192 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe C:\Windows\Temp\1.exe
PID 2192 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe C:\Windows\Temp\1.exe
PID 2192 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe C:\Windows\Temp\1.exe
PID 3224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe
PID 3224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe
PID 3224 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe

"C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe

MD5 6b4a4cc8b467c46b5c1a41fb2909378f
SHA1 ab4a3ec3eafba38fc52a53a8074491e1293b8fc3
SHA256 0af0effe386b3c8b606efe31a7b1a44db015be197a3804494cf4fcdcaa0468be
SHA512 a303b9364f75128d4564435290983038d27edc478e2ce654a9eff88bfafdd45aff446fcf19e49cce403073aa319e03e10a0c0f361478c08e0fa95bd2eb2d32dd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe

MD5 657d9da5ffd62c69216ef5121af8fde0
SHA1 c089cd3d31244d40d307153cd27d6cbbf9665494
SHA256 f18ba27487f8c17f3f7a5ce3bdad3dca57b4c9cfb2947e5b4d6ee0c15b52c492
SHA512 7b2425e6d6594258212e7a2a9fe28f3be45d717818dbd8d81707c6a9167e4495103102824681b2e324db4d2fa554c36d670c5f5a71e11a8b7a3c816254aaaed4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe

MD5 f2877240b3dd6bd57d49335879160cae
SHA1 c3b09356f3826971da2e316daa5de909212f0346
SHA256 243d3d6ac12883ab1faa1f4a73aee8eb24499eb523306a1c929aaae041662520
SHA512 07d3038e99bec6a1310f99f38e243efcef8e78eefee3962c08cd59f6cb67ef80b5c5b9c07af76d30d2f71b542339504e5237decec22771af35b860662a302527

memory/4836-21-0x00007FFFFB2F3000-0x00007FFFFB2F5000-memory.dmp

memory/4836-22-0x0000000000080000-0x000000000008A000-memory.dmp

memory/4836-23-0x00007FFFFB2F3000-0x00007FFFFB2F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe

MD5 2980d76b80d7e1abf6a0a1bbe5371ee3
SHA1 b362468389bfbc76bb87afd016c2de2e583fdae5
SHA256 8ef72057648be6a0e583659a294bac049cd9797ed8c499bf3febc3a9f7a0cd50
SHA512 a7cab189cfbdf62c0738b2227df22da78784de370fa5520b9cf55c058fcabf46e96e655cfa5ff13b9499c140bd1a2bf7ea63ce7d1ba20dc190f416a1aa6e366a

memory/2192-29-0x0000000004FB0000-0x0000000005018000-memory.dmp

memory/2192-30-0x0000000005020000-0x00000000055C4000-memory.dmp

memory/2192-31-0x0000000004E40000-0x0000000004EA6000-memory.dmp

memory/2192-79-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-65-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-45-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-32-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-95-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-94-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-91-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-89-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-87-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-85-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-83-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-81-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-77-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-75-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-73-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-71-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-69-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-67-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-63-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-61-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-59-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-57-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-55-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-53-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-51-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-49-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-47-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-43-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-41-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-39-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-37-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-35-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-33-0x0000000004E40000-0x0000000004EA0000-memory.dmp

memory/2192-2174-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/4760-2188-0x0000000000D60000-0x0000000000D8E000-memory.dmp

memory/4760-2189-0x0000000005580000-0x0000000005586000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe

MD5 0568b4bb59a02a8c451b126b907ee577
SHA1 57a6f17320e728b6c30be5fa16915d2aeb4151e4
SHA256 74a46a9912cc3cdede4f6acdda68913f53c38e9ba2c97a03386a8a92d80027a0
SHA512 60d6aafd5b03d0ae930c6744f5c2b986e20aff57ea4f6cbfdc3eeb7b79ceec7f8c3edfe68b10492917d0cc67c20f92927e40d9854725370f16890c850f6805ac

memory/2700-2193-0x0000000000750000-0x0000000000780000-memory.dmp

memory/2700-2194-0x00000000028B0000-0x00000000028B6000-memory.dmp

memory/4760-2195-0x0000000005D30000-0x0000000006348000-memory.dmp

memory/4760-2196-0x0000000005820000-0x000000000592A000-memory.dmp

memory/4760-2197-0x00000000055D0000-0x00000000055E2000-memory.dmp

memory/4760-2198-0x0000000005750000-0x000000000578C000-memory.dmp

memory/4760-2199-0x0000000005790000-0x00000000057DC000-memory.dmp