Malware Analysis Report

2025-01-23 06:04

Sample ID 241107-slqqhsxkbl
Target 72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a
SHA256 72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a

Threat Level: Known bad

The file 72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:13

Reported

2024-11-07 15:15

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe
PID 1404 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe
PID 1404 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe
PID 4484 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe
PID 4484 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe
PID 4484 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe
PID 4480 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe
PID 4480 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe
PID 4480 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe
PID 4480 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe
PID 4480 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe
PID 4480 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe
PID 3664 wrote to memory of 5712 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe C:\Windows\Temp\1.exe
PID 3664 wrote to memory of 5712 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe C:\Windows\Temp\1.exe
PID 3664 wrote to memory of 5712 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe C:\Windows\Temp\1.exe
PID 4484 wrote to memory of 5880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe
PID 4484 wrote to memory of 5880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe
PID 4484 wrote to memory of 5880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe

"C:\Users\Admin\AppData\Local\Temp\72cdd24f8d8a44d0a6dcbbbdc1f4b5c9f737e913d794c890019607252628c61a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un350514.exe

MD5 c1d4e94a2846b14be307c9fbe04ddf1f
SHA1 f21c41f33018ff9d664adce78b27aec2cad76143
SHA256 036f13e480a34b1fb675fb5046c83b0a0ce143b1e3185074bef37b1b8ffeb01b
SHA512 aeb3d3dd1ac2100bcefec570b97c16bc98035d885836a70e48f794540f2355286424e52bd5015220b6447fb5fc6e02c856e0cc276e75437495b10c1c64bac37b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un592582.exe

MD5 c0ac27c2434c7c5ec690dc6f13da30a5
SHA1 4848bfe85d9aa9591108270fb014c056b2a823fe
SHA256 59dd6426b1e98f5e6ffddd16ffe9a92c56ce3d9873af57127d79a5fa8b3a0c59
SHA512 88b626d97cd825e11e385cf664d8eb852be2153cc68c103169fe8f644f0d7d0389f09eeb352bb972545c478bc658996fa3076dd9a1cddd591adfef95e75e5e9b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr728029.exe

MD5 b14656feb86787476fa256bd63b4a093
SHA1 ce78fd3cb4bf6a76013a4af621e9da5a197541ad
SHA256 e7bce6d52c04d174b8814f64d810ef71e7ba3347fb259f5731a894b242a064fb
SHA512 f3d43dd04ccf5e8f0861d3b952da9b2f6c513a4839d3a06e976a1ffb5dfc23da1973641850a7ef8d21d1e1f71075fbaa98d6eda6bf5ca02957bc81950efb6cbd

memory/4796-22-0x00000000027C0000-0x00000000027DA000-memory.dmp

memory/4796-23-0x0000000004E40000-0x00000000053E4000-memory.dmp

memory/4796-24-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

memory/4796-36-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-52-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-50-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-48-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-46-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-44-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-42-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-40-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-38-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-34-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-32-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-30-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-28-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-26-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-25-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4796-53-0x0000000000400000-0x000000000080A000-memory.dmp

memory/4796-55-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu170754.exe

MD5 b60cb1337380fe3349f1865a5a7cd277
SHA1 785293220c4e0930aebdd7adba48c83b00a36c1f
SHA256 42e63ee94f22ba023e3c839076fd089597797e4924e45675e88e0590ef1588eb
SHA512 7e2844787b6078970ea95714d0079c7c19e9b6213a23e33bb5d7caaf95e3ca923e3cbd0125145935258fbf4bed0c47133f364b02123a353e3142fd871ce0fcaa

memory/3664-60-0x0000000004EA0000-0x0000000004F08000-memory.dmp

memory/3664-61-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/3664-75-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-77-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-95-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-93-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-91-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-87-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-85-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-81-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-79-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-73-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-71-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-67-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-65-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-89-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-83-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-69-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-63-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-62-0x0000000005540000-0x00000000055A0000-memory.dmp

memory/3664-2204-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5712-2218-0x0000000000F00000-0x0000000000F2E000-memory.dmp

memory/5712-2219-0x0000000002F70000-0x0000000002F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk601109.exe

MD5 837f5da61d9402c196b02510c048a839
SHA1 f9f89d43d82f9923b92bfc7a2e52aa11775080f9
SHA256 e4d0fc8a438375bfb90cbbac1a9caeb164fed06eb78c262797a05b8fe11d8ce4
SHA512 2e9ab36bc950bf23728c09f0325afc9f0b2b237396de6c34d0dbcdd4886a9455ea9c75508ec18b2ec9b1497116ad99ca2f6ab55fa598c9b9e4581e81ea26de6e

memory/5880-2223-0x0000000000510000-0x0000000000540000-memory.dmp

memory/5880-2224-0x0000000004D30000-0x0000000004D36000-memory.dmp

memory/5880-2225-0x0000000005540000-0x0000000005B58000-memory.dmp

memory/5880-2226-0x0000000005030000-0x000000000513A000-memory.dmp

memory/5880-2227-0x0000000004D80000-0x0000000004D92000-memory.dmp

memory/5880-2228-0x0000000004F20000-0x0000000004F5C000-memory.dmp

memory/5880-2229-0x0000000004F60000-0x0000000004FAC000-memory.dmp