Malware Analysis Report

2025-01-23 06:04

Sample ID 241107-mhc3cstjcj
Target 9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07
SHA256 9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07

Threat Level: Known bad

The file 9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07 was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 10:27

Reported

2024-11-07 10:30

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe
PID 2572 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe
PID 2572 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe
PID 4024 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe
PID 4024 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe
PID 4024 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe
PID 4464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe
PID 4464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe
PID 4464 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe
PID 4464 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe
PID 4464 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe
PID 4464 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe
PID 3764 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe C:\Windows\Temp\1.exe
PID 3764 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe C:\Windows\Temp\1.exe
PID 3764 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe C:\Windows\Temp\1.exe
PID 4024 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe
PID 4024 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe
PID 4024 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe

"C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe

MD5 67d8094a5bc5f167023c3837801018ca
SHA1 cdb9f73b12eb07fb8adc887d1235423aae47b517
SHA256 46da9f784191707d0d57eca4c9434892419f307a96fdb11404f1693b9df54015
SHA512 f0c0ee282ac732aaead93a69bc89925a80e3bb71700b172091a8fe07559a5d3a48ccc8646ef52fe2930456cd9e5a59e28caa4a1f9135cb11266ce943f3a70b7b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe

MD5 83d70d3b055dcd29775a5ef35fa5cac1
SHA1 d92a127472b525c62357132cf0f8586415e4083c
SHA256 3d3f5693c05b64c0cf84d3a53f0d1abd695561ae32da00c1a191f241c342f38e
SHA512 11c527cf011ed7ae44f79901067cf32db1153acfd270e0e97605b230aeb770dd82b44a9ec922269aaf4e6798b09c56f933d543a695f76a9fe8e3f3764543455a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe

MD5 230f00a433038fa8ebb5ff9fb6aacbd0
SHA1 082dd42948f04dc3871f3ceee85909120e9e4af0
SHA256 afbfefcabaf3cf9500d8b02ffd41af1bba3e2924b7c2c07f7ae796d1fd0ed31f
SHA512 6880e2f3c63992ce438521f01ddd4acd4a85637a4ec1a310bbe21e23383da16befce72db228372ec231dd6e7be583834d86ea63974c878bc2f1861b90159ff12

memory/1632-22-0x0000000000770000-0x0000000000870000-memory.dmp

memory/1632-23-0x0000000002320000-0x000000000233A000-memory.dmp

memory/1632-24-0x0000000004F20000-0x00000000054C4000-memory.dmp

memory/1632-25-0x0000000002470000-0x0000000002488000-memory.dmp

memory/1632-53-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-51-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-49-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-47-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-45-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-43-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-41-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-39-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-37-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-35-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-33-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-31-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-29-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-27-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-26-0x0000000002470000-0x0000000002482000-memory.dmp

memory/1632-54-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/1632-55-0x0000000000770000-0x0000000000870000-memory.dmp

memory/1632-57-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe

MD5 7dd1e1c942cab756ba91dcdcc2c911c9
SHA1 3da759ba0a52547ec0d77568bfbb654c8d644d98
SHA256 677fd73bd8bcf1ba0d36f2fc9f4cb8ed73d72c16fa198517d91f7d888ddab7c9
SHA512 2355f845e99d1fcbbb65423c28f3b5822d18fb648191f9564e8089931c285f0fbaa9318358eb32e1a03321b95528cf16dc0c7a59c597a7d371447f7af585b71b

memory/3764-62-0x0000000002500000-0x0000000002568000-memory.dmp

memory/3764-63-0x0000000005220000-0x0000000005286000-memory.dmp

memory/3764-75-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-81-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-97-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-95-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-93-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-89-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-87-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-85-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-83-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-79-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-77-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-73-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-71-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-69-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-67-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-91-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-65-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-64-0x0000000005220000-0x0000000005280000-memory.dmp

memory/3764-2206-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/1992-2219-0x0000000000480000-0x00000000004AE000-memory.dmp

memory/1992-2220-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

memory/1992-2221-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/1992-2222-0x0000000004F40000-0x000000000504A000-memory.dmp

memory/1992-2223-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/1992-2224-0x0000000004E30000-0x0000000004E6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe

MD5 c35bc7be17b8f6887552b3a0e2762099
SHA1 dd96601614e96e769acf22848666670f74d1611b
SHA256 d3d493e310196e0f3b0a74b6442ade87a9f59e97ac48f73efb0df5cfe1379bc5
SHA512 d3bb5bcbae95941598588df7aae68b000249bfc8a74a62a1d2d979bb2b70381fb4213b66b760157045c9409cb7ec052394be560db425efdda1ed37546c676835

memory/1992-2229-0x0000000004EA0000-0x0000000004EEC000-memory.dmp

memory/860-2230-0x00000000000A0000-0x00000000000D0000-memory.dmp

memory/860-2231-0x00000000048B0000-0x00000000048B6000-memory.dmp