Malware Analysis Report

2025-01-23 06:02

Sample ID 241107-qezzhasglh
Target f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459
SHA256 f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459

Threat Level: Known bad

The file f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 13:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 13:11

Reported

2024-11-07 13:13

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe
PID 916 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe
PID 916 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe
PID 5076 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe
PID 5076 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe
PID 5076 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe
PID 5100 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe
PID 5100 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe
PID 5100 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe
PID 5100 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe
PID 5100 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe
PID 812 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe C:\Windows\Temp\1.exe
PID 812 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe C:\Windows\Temp\1.exe
PID 812 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe C:\Windows\Temp\1.exe
PID 5076 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe
PID 5076 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe
PID 5076 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe

"C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe

MD5 d60d571d26b7d6dc35d5e7dda86c4138
SHA1 db509b935bb24c7a63a5457b055c5444b7c78855
SHA256 41b78840e63eac38a7ea0c2e964e439295b99c7c641b03de5d33a6cd8f64d18b
SHA512 90257fb6f495bc77512a76d384e5e823d2d3fdff95007ad52444f5df95bd8b078b79b05efe5e16257670eeaf80817ebead817d03f7e543eab6d9aaf8722e4061

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe

MD5 bb58e56f24bda313b521e3b981b32c86
SHA1 53ff783181ab8c32edf7ab0f2b9c033d6b632165
SHA256 789ac533bd335c47eb4d6134f65c564f0df70e4a4a2d0297f38b88c9c0b09a70
SHA512 86266213644e784ee82756826177c35fb276d4ef7013106dcdbcffd9da3610c4f8b2df71b447f299e1493bac85163e407dccadab5e2e33394b6e3e3251aade65

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe

MD5 4b3e0ef0693789fc9ddd388e7af44e0f
SHA1 ad549514027c4a03dcc3d47f1ce2a5bf672bed55
SHA256 4fbab3bb6791ee3a90338dad16f2bb1ac8cfd393df0379546ce563e060dc3ee4
SHA512 81a1bf6e58fca18834869c37eac1e96fac73f1ae8202210e980f0fd67b615ea4bef912bf83b0026d4df8613c6b31dc70735234855eff1170d817212847cc7a01

memory/3516-21-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp

memory/3516-22-0x0000000000540000-0x000000000054A000-memory.dmp

memory/3516-23-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe

MD5 35d0ab2652b4e2a7aefba787ced1e392
SHA1 6ab7bde5cf4599e804cd51d4a26fd982bdee1259
SHA256 86670861df1d4cb9dfe144e3f5fec1c17eb452ee6b2292d53f896ade5ccf322f
SHA512 de7340b570ea0dfec20ecf4bd9567ce3aa564b5005e30a0315bd551974bc9725d458538906fd287c709f4c6e8f22591e810043f9d246e0f2976c84dc50c07b2c

memory/812-29-0x00000000028F0000-0x0000000002958000-memory.dmp

memory/812-30-0x0000000005070000-0x0000000005614000-memory.dmp

memory/812-31-0x0000000004EA0000-0x0000000004F06000-memory.dmp

memory/812-45-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-47-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-95-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-93-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-91-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-89-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-87-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-85-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-83-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-79-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-77-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-73-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-71-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-69-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-67-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-63-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-61-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-59-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-57-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-55-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-53-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-51-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-49-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-43-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-41-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-39-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-37-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-35-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-81-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-75-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-65-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-33-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-32-0x0000000004EA0000-0x0000000004F00000-memory.dmp

memory/812-2174-0x0000000004F30000-0x0000000004F62000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5204-2188-0x0000000000DA0000-0x0000000000DCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe

MD5 016e2f2d5deeeb80984ed7b8a245a40c
SHA1 c24ffe850224bae13f2bf092a0419142cd2e8780
SHA256 9e48ba3e0fda075872731eec3b10cf7f7241a8354671635a65aea6e0b7ec570e
SHA512 54e4ae4f5f518ca64bcc1788550e8818bb90bac29965459e8da0b1d322836c3e2186a3275399ed8e905846a7c6f58f4df013c4f0f24ae01e652f57e571b84aa8

memory/5204-2192-0x0000000002EB0000-0x0000000002EB6000-memory.dmp

memory/5260-2193-0x0000000000190000-0x00000000001C0000-memory.dmp

memory/5260-2194-0x00000000049B0000-0x00000000049B6000-memory.dmp

memory/5204-2195-0x0000000005D30000-0x0000000006348000-memory.dmp

memory/5204-2196-0x0000000005820000-0x000000000592A000-memory.dmp

memory/5260-2197-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/5204-2198-0x0000000005790000-0x00000000057CC000-memory.dmp

memory/5204-2199-0x00000000057D0000-0x000000000581C000-memory.dmp