Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-f9c34swgre
Target 496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f
SHA256 496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f

Threat Level: Known bad

The file 496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

RedLine

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 05:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 05:33

Reported

2024-11-08 05:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
PID 2712 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
PID 2712 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
PID 1064 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
PID 1064 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
PID 1064 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
PID 4288 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
PID 4288 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
PID 4288 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
PID 4288 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
PID 4288 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
PID 4908 wrote to memory of 6192 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe C:\Windows\Temp\1.exe
PID 4908 wrote to memory of 6192 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe C:\Windows\Temp\1.exe
PID 4908 wrote to memory of 6192 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe C:\Windows\Temp\1.exe
PID 1064 wrote to memory of 6868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe
PID 1064 wrote to memory of 6868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe
PID 1064 wrote to memory of 6868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe

Processes

C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe

"C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe

MD5 e04c7e96ee59d2015706ff71c71c3cae
SHA1 fd3b98f05dae77002d5d2f5049f2de41e8fdec10
SHA256 4bd54ee349d83e8dbdc5366ee8be6174b929f634a6c5644504d023060829f523
SHA512 5c75ca5f30d67081a2fb977536f6f33b7595c567ebdfc27791d16dbc947b7305b5d9dccf6bc5d86ccd0eeef16bdc003750f5398a9199fd4883e1f0cd2354f4c4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe

MD5 680417f2efe9eb78a4fb2e7866ec66f5
SHA1 de726b1f5ae8bdc19479980fd10e988dca138623
SHA256 607443710032388c930a8c9e35bd2e4c73771c4b4299507f6429731b36882b36
SHA512 8cb35a5f1b56796b1c5a97b3a8476952418a145edfe2ffda0382f1db7d8b9d94f41b1fd4eae56691434c1ab8093dfd811beea68906e95f6fe5d56d302a4a5fa1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe

MD5 a4f89f8dc8ca3450dc0240359e4c002c
SHA1 5b23c62b34d9adcfdb997a039b29115ba117fd1b
SHA256 03454e8aad3ebc11c3a0662fe85773cec8e85d456313438a94f99afc1c2fc42e
SHA512 9e8427ac8d39272ffdfed294238fdbfdd3a54ae379ed5a2d3d9acbe9a62ba19cf5b082b11b6f295ecb75da0f15aeb5c377f95198508c5e406e39406b1383bcab

memory/1596-21-0x00007FFB070F3000-0x00007FFB070F5000-memory.dmp

memory/1596-22-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1596-23-0x00007FFB070F3000-0x00007FFB070F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe

MD5 6424b85ebce56537ad6c67e59be400a8
SHA1 4010e1a196ba734e1b82868e6c47e391631e2e3a
SHA256 6ab79416f69dcf4bdf22ee0430afe96783ceac1fdf2057a959f023392efc29e9
SHA512 0905f6ddc31f1224e7d0c3fc0fca30aa3674ebc402dd843b47402c3c8047a9783f1389cdd45386aa43f72b8771a479c8fef668362bbd4582945443c193778c2b

memory/4908-29-0x00000000025D0000-0x0000000002638000-memory.dmp

memory/4908-30-0x0000000004CD0000-0x0000000005274000-memory.dmp

memory/4908-31-0x0000000004C50000-0x0000000004CB6000-memory.dmp

memory/4908-35-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-47-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-93-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-91-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-89-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-87-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-85-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-81-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-79-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-77-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-75-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-73-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-69-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-67-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-65-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-63-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-61-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-57-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-55-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-53-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-51-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-49-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-45-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-43-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-41-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-39-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-37-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-95-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-83-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-71-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-59-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-33-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-32-0x0000000004C50000-0x0000000004CB0000-memory.dmp

memory/4908-2174-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/6192-2187-0x0000000000E90000-0x0000000000EBE000-memory.dmp

memory/6192-2188-0x0000000003180000-0x0000000003186000-memory.dmp

memory/6192-2189-0x000000000B210000-0x000000000B828000-memory.dmp

memory/6192-2190-0x000000000AD00000-0x000000000AE0A000-memory.dmp

memory/6192-2191-0x000000000AC30000-0x000000000AC42000-memory.dmp

memory/6192-2192-0x000000000AC90000-0x000000000ACCC000-memory.dmp

memory/6192-2193-0x00000000051C0000-0x000000000520C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe

MD5 43c614eb71d96a7c3032441b908aa784
SHA1 ed6c87091e3eeb5cbde101ea695b789fa90e0f8a
SHA256 4ac318b562dda975404a501e4651c87f03d0e0ce0b578808d11612bd0d88d584
SHA512 6d0fa888ba4d559df80c41cac4c1695ac79d112b2daf218d9b5fca4f6450948d229c33d8aef4aae2aee7504062a18b8b041c8f292132f00ab51fc35720339007

memory/6868-2198-0x0000000000100000-0x0000000000130000-memory.dmp

memory/6868-2199-0x00000000009F0000-0x00000000009F6000-memory.dmp