Malware Analysis Report

2025-04-03 09:02

Sample ID 241107-qrk14sslgs
Target a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07
SHA256 a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07

Threat Level: Known bad

The file a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 13:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 13:29

Reported

2024-11-07 13:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe
PID 4804 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe
PID 4804 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe
PID 3904 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe
PID 3904 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe
PID 3904 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe
PID 2016 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe
PID 1196 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe
PID 1196 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe
PID 1196 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe
PID 1196 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe
PID 1196 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe

"C:\Users\Admin\AppData\Local\Temp\a215c16b4ffeac993d8496847ef18ef2c11232061cb1bcddd86e6c54d7b49b07.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\srR13CM55.exe

MD5 0b4974065708c5169e8ecd393c6ee904
SHA1 7888b663e94fd38069b22ec8a377760dad97b71c
SHA256 a71696806d6ef5c9cdd1381e0b39c612da9063653928591ac87b7c42a1ab40fb
SHA512 32609ac78d212140a7c737c86cecc416df397cad83504fd47ebd0d20eb955e3574af22e0d4ca668287435901489d630088629e456270f005b3657d5884591cb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxT84Wm35.exe

MD5 8e80a066c03748be0757db2f5d85f5dd
SHA1 8900b68bda85c91c7196a07e16ad7595b7fdd866
SHA256 759caf232761b9c179e135c947015e423bdca5060a5185dee16a3533ca433b0b
SHA512 ea03d15b01d9fad14db261b88d6f0e8a6db89bd0778e78d5133d0c307dcd3dfd39b1900b51cb152478c3fd76e26231c80da0f6493084b76b16a34afdb5c4ac93

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAr47Ja13.exe

MD5 572c79ee241d288670c8a7d03b645555
SHA1 4d507fab421ca130cb4dad12f772a3f86d06c7a4
SHA256 21323861856c3d866eb2a64e23712917d935017760d957879d217382ed57f014
SHA512 82e6fc6c80cd857f68dca9467e204ec46120682a65d823c908c044af4fa299a426ff9a96f070d39c7950af15d2678526d1329069ca1603a9e1819043ce3d8591

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iOk29Sn.exe

MD5 dcb303e2a43908f852743180f53037ec
SHA1 66c9cdfffa5d8046560d9be55d3c98479b3451dc
SHA256 efb233d63447cc69cab1e519f5b6bd32c6ed62c3d42c704bd87e25d02fb26132
SHA512 b322a9136a2317a4810fc0e04ad3ca6c727b854296a2121cf19b0b01469023189ffd391189045bb61d085f601d5b59e7f33efe3eeb524ce404de5076999b8b33

memory/2140-28-0x0000000000230000-0x000000000023A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kzy85rw.exe

MD5 41666d628279dd911f993bd01968f61a
SHA1 9fbb99c1f257d58eeb3636727502224b9b1d3517
SHA256 0541f21d857e8c94d6e10b7907eb041b1a4a34052d77ef1b3bdaa8e26375816f
SHA512 e68d482eab6c63cda3f9599ba1f90c14cdd1fb04629c9df6b969f8e3fcfac058a8bc8e86854893ac5bb20d2ee1a63ee80faa1ae8e9d935cd0612633034bc2793

memory/4696-34-0x0000000004C90000-0x0000000004CD6000-memory.dmp

memory/4696-35-0x00000000072E0000-0x0000000007884000-memory.dmp

memory/4696-36-0x0000000004E30000-0x0000000004E74000-memory.dmp

memory/4696-43-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-52-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-98-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-96-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-94-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-92-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-90-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-88-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-86-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-84-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-80-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-78-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-76-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-74-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-72-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-70-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-66-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-64-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-62-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-60-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-58-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-54-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-50-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-48-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-46-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-44-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-100-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-82-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-68-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-56-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-40-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-38-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-37-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/4696-943-0x0000000007890000-0x0000000007EA8000-memory.dmp

memory/4696-944-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/4696-945-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

memory/4696-946-0x0000000007FE0000-0x000000000801C000-memory.dmp

memory/4696-947-0x0000000008130000-0x000000000817C000-memory.dmp