Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-hbbhqsxerc
Target af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0
SHA256 af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0

Threat Level: Known bad

The file af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0 was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

Healer

RedLine

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 06:33

Reported

2024-11-08 06:35

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe
PID 404 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe
PID 404 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe
PID 4056 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe
PID 4056 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe
PID 4056 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe
PID 2488 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe
PID 2488 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe
PID 2488 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe
PID 2488 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe
PID 2488 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe
PID 2488 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe
PID 3212 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe C:\Windows\Temp\1.exe
PID 3212 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe C:\Windows\Temp\1.exe
PID 3212 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe C:\Windows\Temp\1.exe
PID 4056 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe
PID 4056 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe
PID 4056 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe

"C:\Users\Admin\AppData\Local\Temp\af3ad789df2df7b16b483bda5415268315eb7eba4c7b9ac21efd230fe9a528a0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3212 -ip 3212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1452

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un889036.exe

MD5 a7082722d82c84bec92460e5f2aaf114
SHA1 e53c789832dc0e977afeeba7ea8ec8872bd7d1da
SHA256 3b42146453a2f221bcafc18d635adc9b444955beea9d9bb087b96dd22b33229b
SHA512 8de8851c0decb187de8c70ff243246fc615196ba625eb4d1b00d7baeb8bbee693ef2ccb654977b33654d21400bb1394e8b0ffd88725e6191087e5a3c6914acc5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un638187.exe

MD5 1ac735755d2606ba639de3f975857b67
SHA1 71b2a667f3d0f537c79b671d61deeb366dfbffdd
SHA256 440239b31c8d205f89880da81444858694818c75ada6229f6f2023fdf28cb038
SHA512 3ff50aa12adf2f8d67ed7e34c856e883b10b6f0a7f4a5fa9bb9298555d4e6dd04a53bb98760cb6bec7244a87d8a822b00b1db6e42bd11436dea0597afbdf17c4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731151.exe

MD5 f1fca2386d17e52c8dd8280ed0d5435a
SHA1 92b9d8f05de74083b29ee6f8ba2a6a0dabb17af9
SHA256 7170575a3b9bc0bc684adf469b05e9577a134d8c3de3ebb43625845ae8a1e0a0
SHA512 8f59ab903f0574e8c07ea53a09d64765b445ce09e032b694ea7e04ad07a70b2f39778dc0290610a1c5d053f8d4c1502d0ca5fb1ddfd25ce3fd2d0e8164bb0a0e

memory/4564-22-0x0000000000810000-0x0000000000910000-memory.dmp

memory/4564-23-0x0000000002320000-0x000000000233A000-memory.dmp

memory/4564-24-0x0000000004C40000-0x00000000051E4000-memory.dmp

memory/4564-25-0x0000000002620000-0x0000000002638000-memory.dmp

memory/4564-37-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-41-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-53-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-51-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-49-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-47-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-45-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-43-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-39-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-35-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-33-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-29-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-27-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-26-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-31-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4564-54-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/4564-55-0x0000000000810000-0x0000000000910000-memory.dmp

memory/4564-57-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu078689.exe

MD5 267ccc75e23ad496aa2664733bd90c5e
SHA1 93a2e1b4cd7e1b94c4fb088ae06dad0149ff4b6f
SHA256 4bac3cdd00b3a99a756ca1fb4d9d14df1ba883363e3e15eb0d6ffe351d9a8a42
SHA512 d5ad0d584869d6ac1e3e9d65dbc1f6fd9e0be90fc825087b498001951ba9fe21dba40109fc2783032ba1be0f02f374ac2c34a2fcf2fbb9a6ed6a19ac809bf0be

memory/3212-62-0x0000000004BF0000-0x0000000004C58000-memory.dmp

memory/3212-63-0x0000000005210000-0x0000000005276000-memory.dmp

memory/3212-73-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-71-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-95-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-93-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-91-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-90-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-87-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-85-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-83-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-81-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-79-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-77-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-75-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-69-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-67-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-97-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-65-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-64-0x0000000005210000-0x0000000005270000-memory.dmp

memory/3212-2206-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/4352-2219-0x00000000002F0000-0x000000000031E000-memory.dmp

memory/4352-2220-0x0000000000D30000-0x0000000000D36000-memory.dmp

memory/4352-2221-0x0000000005280000-0x0000000005898000-memory.dmp

memory/4352-2222-0x0000000004D70000-0x0000000004E7A000-memory.dmp

memory/4352-2223-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/4352-2224-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk677634.exe

MD5 8f95a0eb65beac905e29908343cd8c65
SHA1 1b4c9c0246cb831131b446fd5230306153f9a518
SHA256 b8619a31593d9ee09c12cc771544d0768602164b39a03943d818454ddc3c81f5
SHA512 65a322b1263dab3057d3f3a3fabbed7e17420c5f8492dd16cef396818fe9c990b2228679b286087c0e2cbc2e8bd335928c58bf99a6d8e6ef979f54b86ff07d1e

memory/1576-2229-0x00000000005E0000-0x0000000000610000-memory.dmp

memory/4352-2231-0x0000000004D10000-0x0000000004D5C000-memory.dmp

memory/1576-2230-0x0000000002740000-0x0000000002746000-memory.dmp