Malware Analysis Report

2025-01-23 05:59

Sample ID 241107-lzrreazfna
Target a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488
SHA256 a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488

Threat Level: Known bad

The file a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Redline family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 09:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 09:58

Reported

2024-11-07 10:01

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe
PID 1996 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe
PID 1996 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe
PID 1048 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe
PID 1048 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe
PID 1048 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe
PID 1656 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe
PID 1656 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe
PID 1656 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe
PID 1656 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe
PID 1656 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe
PID 1656 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe
PID 1544 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe C:\Windows\Temp\1.exe
PID 1544 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe C:\Windows\Temp\1.exe
PID 1544 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe C:\Windows\Temp\1.exe
PID 1048 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe
PID 1048 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe
PID 1048 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe

"C:\Users\Admin\AppData\Local\Temp\a68b7f83e6c169fb4bb006f3bc7d0e95926002e36633937c8366bba36dd0b488.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1068

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un071867.exe

MD5 5fb152964f50be457c063cb39fc7fdf3
SHA1 06d87e6f5e9d706aa66cbf041f360cb27a58d68e
SHA256 20d9cfb80fe7e7e7be5d731d1e255281df59af702f95266bb7a4adfede624a6c
SHA512 bea85d225ba2db7feedbce82ae2f2a8bbaa2e5093760dc68baf0890a3cd5ef044465389606f6c892f9ec851c6b98b2b4543e03b98a2b96f8937f94ee5965a108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un654041.exe

MD5 afa99b8bcc83bef66d048f874f92089c
SHA1 543fd31be4b943dc28eb3787ccdbf03cc2881f9a
SHA256 4605de36f9e120882886f96da46e80957fbe7805b30e930ea51a2a1c1e6e2081
SHA512 3ab5fe0d7109a5d9db7f08b19149c885c8632a522ff83ced5dae62705638192148d8ab489c78a227cf952c2201c771feb87bd27f0a7e8418432da09ca98ca436

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr507719.exe

MD5 ecaf63edf2aa56f60466eb42acbd0e11
SHA1 6d1bfdfb7a9987cb3532db4196cdee2375b652d4
SHA256 642096c696ffefc7a533a527c052d734bce306dca5eb4811679c3d03ebc98ee2
SHA512 c0fa749acd211777c9a6b6db16ad10db6bc7687a6d84b819dd8d2e6b012d86c3b95519edf2cd7cf06fabd08ed1981970f4ef74af7056076acd8357a203471a54

memory/4408-22-0x0000000002450000-0x000000000246A000-memory.dmp

memory/4408-23-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/4408-24-0x0000000002610000-0x0000000002628000-memory.dmp

memory/4408-42-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-52-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-50-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-49-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-46-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-44-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-40-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-38-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-36-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-34-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-32-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-30-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-28-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-26-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-25-0x0000000002610000-0x0000000002622000-memory.dmp

memory/4408-53-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/4408-55-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu680302.exe

MD5 cd5c7568f58753ceb9af43307671cfd7
SHA1 0a45c1a3730145811df65e9198a8ece90dff5c3c
SHA256 1fdfccba250e7c078fd04a31e79133e71d7512b1ddfc3aa7881b93ec43800cf4
SHA512 75651840c44f124338d64488902f359bd40d73bada528c1eba536160d5bc593c87798d5911bbf1cd045bfab2e47efc67a533ead33b222b8d89d2b099496c4874

memory/1544-60-0x0000000002500000-0x0000000002568000-memory.dmp

memory/1544-61-0x00000000025D0000-0x0000000002636000-memory.dmp

memory/1544-65-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-69-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-67-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-83-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-63-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-62-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-96-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-93-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-91-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-89-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-87-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-85-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-81-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-79-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-77-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-75-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-73-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-71-0x00000000025D0000-0x0000000002630000-memory.dmp

memory/1544-2204-0x0000000005420000-0x0000000005452000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/3196-2217-0x00000000008D0000-0x00000000008FE000-memory.dmp

memory/3196-2218-0x00000000050F0000-0x00000000050F6000-memory.dmp

memory/3196-2219-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/3196-2220-0x0000000005360000-0x000000000546A000-memory.dmp

memory/3196-2221-0x0000000005250000-0x0000000005262000-memory.dmp

memory/3196-2222-0x00000000052B0000-0x00000000052EC000-memory.dmp

memory/3196-2223-0x0000000005300000-0x000000000534C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk535127.exe

MD5 5dff2c50481f23cd19d4489020b76820
SHA1 4eda86dc354557b4652e061b503239efd5848e00
SHA256 2ac846b455b439426589e99985bc2bace2a86e036888e8b48da91d4a10a51ff7
SHA512 cec0fa91153f44278ce909f11713ca79a61d8645b041793d09b90070dde576a2828d6a74fb2993d0507177c821bc57bb53047261b97d157884072df87ee20288

memory/3592-2228-0x0000000000EE0000-0x0000000000F10000-memory.dmp

memory/3592-2229-0x0000000003270000-0x0000000003276000-memory.dmp