Malware Analysis Report

2025-01-23 06:01

Sample ID 241107-svfa5sxldn
Target 62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9
SHA256 62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9

Threat Level: Known bad

The file 62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Healer family

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:26

Reported

2024-11-07 15:29

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe
PID 1348 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe
PID 1348 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe
PID 2616 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe
PID 2616 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe
PID 2616 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe
PID 2616 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe
PID 2616 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe
PID 2616 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe
PID 1516 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe C:\Windows\Temp\1.exe
PID 1516 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe C:\Windows\Temp\1.exe
PID 1516 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe C:\Windows\Temp\1.exe
PID 2812 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe
PID 2812 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe
PID 2812 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe

"C:\Users\Admin\AppData\Local\Temp\62bc10ee439a7705fdfea29c5ac64956ae46b2ee62f8a79ca944b3cff963fbf9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700899.exe

MD5 2e11247c6572135d9213760151a138c9
SHA1 0951a5a900ca6e0a8e2cbacf045c351539032ca8
SHA256 13c3a6dea6a57bfc86ccfea249f81a32933d7cb975734fd49358a844fa6444ca
SHA512 b378d87affb833354c88857376f937a5c4c0aa757f2e8aa4c573dc109a5b00209f170ca773ee53d0ec0b99f6df7f6adaf299cb471d6b0775f1f1ad9137aa9dde

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un889176.exe

MD5 e6f5f2d4a213888de0ab3362f421750c
SHA1 459fe3a4a0331aea061a1bd3654aabb73a30df6e
SHA256 c92d619ae05e3d8b8eb476fa255338a363197ced4ccebd680a57c9b2d2d53f95
SHA512 36fb177125c4e2f2a9d443f57c2fa2c05197f9958f856fb9715fe9f4e07d244c923d7eff0bc43f0df2cc620f8acf9d2c2dcfd689256316979059e664955db537

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr383196.exe

MD5 b0cd31b63a09c3295f4c63aa91fecf52
SHA1 296f12f7001ae7e42b453c60a197c6e865500b14
SHA256 f24e448d13c8ed903912c45dd192751d96332de05a1f8311b016478d3014e40a
SHA512 000b69db941ad7e4fe910fba7f5f61e85aa40e57721cb9f4160ade26ed636755389cabd64ea92174f0d0c94850eafe032ab36b19b43e17a3dec005de36406ea6

memory/2960-22-0x0000000002590000-0x00000000025AA000-memory.dmp

memory/2960-23-0x0000000004F90000-0x0000000005534000-memory.dmp

memory/2960-24-0x0000000002790000-0x00000000027A8000-memory.dmp

memory/2960-52-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-50-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-48-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-46-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-44-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-42-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-40-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-38-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-36-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-34-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-32-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-30-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-28-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-26-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-25-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/2960-53-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu750361.exe

MD5 6ec4a84c64ee983aa9da26d115d40896
SHA1 41fd88338edbabd103b32ecdce52f5f48d0990ba
SHA256 7b3b83ffac9a20aef08b551a16111903b684d271c0530e83f68bbceaf5baef94
SHA512 afc450f38e096152f1ce83352a46c2435b83134ef3f76141d2e98ae846cb558626f186e3931a4f768ad63a5a6d0db0041776f7f555a0decff19253888bcf2d12

memory/2960-55-0x0000000000400000-0x000000000080A000-memory.dmp

memory/1516-60-0x00000000027C0000-0x0000000002828000-memory.dmp

memory/1516-61-0x0000000004F90000-0x0000000004FF6000-memory.dmp

memory/1516-64-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-71-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-95-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-93-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-91-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-89-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-87-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-83-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-81-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-79-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-77-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-75-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-73-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-69-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-67-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-65-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-85-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-62-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/1516-2204-0x0000000005770000-0x00000000057A2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/3536-2218-0x0000000000A60000-0x0000000000A8E000-memory.dmp

memory/3536-2219-0x00000000013B0000-0x00000000013B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk077440.exe

MD5 7823e29f3c79cfe265c5a37eb6bda87e
SHA1 fe51c09cf73348cf5d2940deaad680cb2f8ae093
SHA256 349438701b6bec74cf3dd7ae3660f603b0098c7b97c917f3493b75485e0c3637
SHA512 3011391d6bce7d852dc3362c59b6a07a5d7ab84d9fdb21d2b58548f702f916e89238764f9de3b09974cce94676202e788596313cfd3892c190502a24c51b1184

memory/1332-2223-0x0000000000440000-0x0000000000470000-memory.dmp

memory/1332-2224-0x0000000002810000-0x0000000002816000-memory.dmp

memory/3536-2225-0x00000000059E0000-0x0000000005FF8000-memory.dmp

memory/1332-2226-0x0000000004F60000-0x000000000506A000-memory.dmp

memory/3536-2227-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/3536-2228-0x0000000005440000-0x000000000547C000-memory.dmp

memory/3536-2229-0x00000000055E0000-0x000000000562C000-memory.dmp