Malware Analysis Report

2025-01-23 05:58

Sample ID 241107-nk13ms1fme
Target 2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9
SHA256 2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9

Threat Level: Known bad

The file 2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Redline family

RedLine

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 11:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 11:28

Reported

2024-11-07 11:30

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe
PID 2936 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe
PID 2936 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe
PID 1000 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe
PID 1000 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe
PID 1000 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe
PID 4084 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe
PID 4084 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe
PID 4084 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe
PID 4084 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe
PID 2952 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe C:\Windows\Temp\1.exe
PID 2952 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe C:\Windows\Temp\1.exe
PID 2952 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe C:\Windows\Temp\1.exe
PID 1000 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe
PID 1000 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe
PID 1000 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe

"C:\Users\Admin\AppData\Local\Temp\2c59ec6bddd3f457e1d57b21cc6551fe016a155fd7abfdee8487690253ab02a9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un718366.exe

MD5 f8841281886b6d9b130aed25e1b2ce48
SHA1 c8a1404cf9b12b647e9dd79a9387a4b057458e40
SHA256 d48e26e112a278c3c929dd149c953c784c6a0ad12b98cd4c626a7bd0084720d4
SHA512 4b688d71632cb52b27a27aba4f996114d1d47ee08dd6e3e9714af20e69096b9bd678a7249771d1f40d389897e5b728b63689c48f0b527b172fe4c2eb6f2a3dd4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un743549.exe

MD5 fe4cf9a6e04aa34c48655ed006743262
SHA1 403ea83241b0abca8fa6b4ca1fb24b550f7ad336
SHA256 e533e6dab15b5df22df1dec8c8f49e3aedc56fa98ed35b100f043e0448a790b5
SHA512 140df9899cc885f1b50fe90fc24a178e09858bf1a173b92f9df630d47c757a3acb11682d3609ce6dbd7cc3ff1d31882d1576d136b0d46d72897fd1eda99225a5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr526187.exe

MD5 0e1301d685acf40ea55f6c25a1e6d70c
SHA1 4b9c13144cc14c7f3b19f39db7a835790ca675b8
SHA256 3d5ee9355f6c7e7fcde4d2ff25644b9dcefc9c5a3d68cf23f0b571ad17b897f8
SHA512 69063c784abb5bfe3cff53b12179e9490dc0ac037579cad28b6b1ddd921ae66ff1d58659217fc6ae402983da1a5b9324cbcf1f2a310cf501e83b27044f4dd129

memory/2996-22-0x00000000026E0000-0x00000000026FA000-memory.dmp

memory/2996-23-0x0000000004EF0000-0x0000000005494000-memory.dmp

memory/2996-24-0x0000000002850000-0x0000000002868000-memory.dmp

memory/2996-45-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-52-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-50-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-48-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-46-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-42-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-41-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-38-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-36-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-34-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-32-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-30-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-28-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-26-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-25-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2996-53-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665610.exe

MD5 c37af314c38a52eece736df3d033f6f1
SHA1 31be4aeeaba455bccf7f06db6dbdff6b360aa7de
SHA256 905d0b3aae4557c84b4b8e4ab33bb15fc122b2796668cd7bd3fb538ebe30b14f
SHA512 19a58d75bfaebaf4e03f4d31bdcb6b00182e0166392e1fa7298b60505635355da90a3f72be61482b089ea8024a2dc440c48f428a70abb2a64bed3f2407e20709

memory/2996-55-0x0000000000400000-0x000000000080A000-memory.dmp

memory/2952-60-0x00000000026F0000-0x0000000002758000-memory.dmp

memory/2952-61-0x0000000004FC0000-0x0000000005026000-memory.dmp

memory/2952-67-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-95-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-93-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-91-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-89-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-87-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-85-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-83-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-81-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-79-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-77-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-75-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-73-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-71-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-69-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-65-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-63-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-62-0x0000000004FC0000-0x0000000005020000-memory.dmp

memory/2952-2204-0x0000000005780000-0x00000000057B2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5548-2218-0x00000000007D0000-0x00000000007FE000-memory.dmp

memory/5548-2219-0x0000000001130000-0x0000000001136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346995.exe

MD5 5ced0bf46a4e497bbb7001a052ee8f59
SHA1 5de98ec3d9f06120998cfdbeb46586610e09a66f
SHA256 9cc52b6acc2f28becd9f06d1b5ffe64fb4790dfb246594cc22ee0606e1b68b91
SHA512 ea336114326d7c00df1441e6f6a5831c9905c1538b3eefa428022c72e2b1b26dc72475fbd72c95b31cee89c7a0c417b973eb1fa6a008efb59669ee3f0e2d1460

memory/5432-2223-0x0000000000960000-0x0000000000990000-memory.dmp

memory/5432-2224-0x0000000007610000-0x0000000007616000-memory.dmp

memory/5432-2225-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/5548-2226-0x00000000052C0000-0x00000000053CA000-memory.dmp

memory/5432-2227-0x00000000052D0000-0x00000000052E2000-memory.dmp

memory/5432-2228-0x0000000005330000-0x000000000536C000-memory.dmp

memory/5548-2229-0x0000000005200000-0x000000000524C000-memory.dmp