Malware Analysis Report

2025-01-23 06:03

Sample ID 241107-mbr8pszhlg
Target edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246
SHA256 edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246

Threat Level: Known bad

The file edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 10:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 10:17

Reported

2024-11-07 10:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe
PID 4292 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe
PID 4292 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe
PID 3112 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe
PID 3112 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe
PID 3112 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe
PID 4532 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe
PID 4532 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe
PID 4532 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe
PID 4532 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe
PID 4532 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe
PID 4532 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe
PID 3064 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe C:\Windows\Temp\1.exe
PID 3064 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe C:\Windows\Temp\1.exe
PID 3064 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe C:\Windows\Temp\1.exe
PID 3112 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe
PID 3112 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe
PID 3112 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe

Processes

C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe

"C:\Users\Admin\AppData\Local\Temp\edae76c071c3380d74cae582f61705aee658ead88f3c54990c57409b65625246.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un161068.exe

MD5 248f93bef9dc008373b55fc381c65845
SHA1 3484875bbbdd4e85dcd32adb5bd14940dc4dbe48
SHA256 0aef64cface62e2b643413d84d0ade4c7abf750044db4f13b01f4b04b8f4871f
SHA512 a5398148f82c2fdb9e907215debcfd0aa089efc4b8655c462b6a096567a8c881d8865697eeb7cf8ed13cd534c15d7c0ea4da8081e7ed0025c677702a020294fc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un037518.exe

MD5 ebf0a9a18c0c2c3cc5701ff399515ec4
SHA1 ad8da931c0370468e7c9ed8897bc0a9b871e911a
SHA256 be02d0f17a8f30c3fd16f4d9338a228a5c66e0cbd960049a81a4095efa23ed3a
SHA512 11ceb7933cf961df0c49fa99ea05fd5b8d62a3fadb960d26887818c2a5409a34c30f5a093ff7b84064d6f494012171f330e3acd75c7ee1ce743dc3e701da91d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr601966.exe

MD5 28123bae8fb2800529c32e7942519e92
SHA1 183d6d2ded38523bbc0f0d03ae9aa5952e411d2d
SHA256 70d90ebcf2fccf6eb984195f9cbb21581a4034fbf67a938a9d0f336d8c35a476
SHA512 d15099c041967a81552e35fd7815147638d4f3de92b19b8ed2a7c62cb3dacbc64c7a3b56f3da9feff43c38bfe6e60a6b69931f094903ce3e9fe27a44377db29e

memory/2552-22-0x00000000027C0000-0x00000000027DA000-memory.dmp

memory/2552-23-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/2552-24-0x0000000002930000-0x0000000002948000-memory.dmp

memory/2552-52-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-50-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-48-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-46-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-44-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-42-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-40-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-38-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-36-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-34-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-32-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-30-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-28-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-26-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-25-0x0000000002930000-0x0000000002942000-memory.dmp

memory/2552-53-0x0000000000400000-0x000000000080A000-memory.dmp

memory/2552-55-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu958694.exe

MD5 b41c4fa3f89575d14bbf2123b8c53d69
SHA1 b681f1fed6a3b314915408d5427fbd724c6c8b27
SHA256 d25fb87e3a996c250b23cc5af10e451cea0ac347679fdee54e59d3620332c701
SHA512 778689da732f283e2db98d126b1120765e8d87e6ba85611d45163429cfc7e2191e831a3c52bbdc14287337931e04a2cd6c5eba22aff7779809045dab88f34301

memory/3064-60-0x00000000026E0000-0x0000000002748000-memory.dmp

memory/3064-61-0x0000000002960000-0x00000000029C6000-memory.dmp

memory/3064-95-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-93-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-91-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-89-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-87-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-85-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-83-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-81-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-79-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-77-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-73-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-71-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-69-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-67-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-65-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-63-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-75-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-62-0x0000000002960000-0x00000000029C0000-memory.dmp

memory/3064-2204-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5180-2218-0x0000000000D80000-0x0000000000DAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366664.exe

MD5 f8c8ff8b49694526684a76a91ee62d68
SHA1 aff75f4734062095788dc1e7eb93f0487ed2933e
SHA256 610445d556375f26d77aa36805c52373d94c2d99efa71153c9122a066dbbcac0
SHA512 8810fc580549f869a9d15e8be377e41737c39bc25bad631b5b90f7cded522875ee894572936338a216c44789b0d51ae642148e948680846d34ce8dfc929eb944

memory/5180-2221-0x0000000007A30000-0x0000000007A36000-memory.dmp

memory/5936-2223-0x0000000000510000-0x0000000000540000-memory.dmp

memory/5936-2224-0x00000000025C0000-0x00000000025C6000-memory.dmp

memory/5180-2225-0x0000000005CD0000-0x00000000062E8000-memory.dmp

memory/5936-2226-0x0000000005030000-0x000000000513A000-memory.dmp

memory/5936-2227-0x0000000004D80000-0x0000000004D92000-memory.dmp

memory/5180-2228-0x0000000005750000-0x000000000578C000-memory.dmp

memory/5936-2229-0x0000000004F60000-0x0000000004FAC000-memory.dmp