Malware Analysis Report

2025-01-23 05:57

Sample ID 241108-kb8jks1pcp
Target 59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680
SHA256 59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680
Tags
healer redline diza lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680

Threat Level: Known bad

The file 59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680 was found to be: Known bad.

Malicious Activity Summary

healer redline diza lada discovery dropper evasion infostealer persistence trojan

Redline family

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Healer family

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 08:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 08:26

Reported

2024-11-08 08:29

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe
PID 4700 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe
PID 4700 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe
PID 2700 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe
PID 2700 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe
PID 2700 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe
PID 436 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe
PID 436 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe
PID 436 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe
PID 436 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe
PID 436 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe
PID 436 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe
PID 2356 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe C:\Windows\Temp\1.exe
PID 2356 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe C:\Windows\Temp\1.exe
PID 2356 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe C:\Windows\Temp\1.exe
PID 2700 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe
PID 2700 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe
PID 2700 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe

"C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2356 -ip 2356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe

MD5 54c1e112755e5b0e1aa4eb1e967d19f5
SHA1 6313de7f7412f64a530b505eb2df91a0f06b6395
SHA256 462b9ba12064020d4d13d02b6ae21cc61b4810ae32d2f163c87c0e4763b3a56d
SHA512 0bf67b5eda2d5277a47a7d95772add63067fe98f0113411dcf960dde776fa11da26d714ffdf18c90014a6bef6012e66dec10afcffdebb7fa4f7326927892b4c6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe

MD5 00f61f3477deff33d35b02affdf6255c
SHA1 06c3cc94fdfbfcffa88ade49df2ce575bacaa58e
SHA256 604bbc4f9030d519f92d6f656d4167565609f6a56b8775b09a2134f9b883d69a
SHA512 85d2fd1cc2bb02654a92945c7e908263ffe159dfd973ef49d2fc5939efd1dff0b5d19c14710d747cf4403f7e4d45feab57ec5ac43479001ce82362c240cc34c9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe

MD5 95e6c39b0a48065756fd7bbe5d8a7168
SHA1 233faa5ee3bc7603ba09350d3cbc0226c69aa510
SHA256 ccc727c92d3c6f9a46229c3e30f4bba63cf3f9eabf6c08a69174e21aa21dce2a
SHA512 b5c5dc5c2ab5ef61c93dae03f3422fb89421e316811cf4abe8db769a10da7eaf60c2a69d55a75a0cc6b5a690da253c3d24401a1b2bfc14190d1df9fc08c26f24

memory/4576-22-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/4576-23-0x00000000005E0000-0x000000000060D000-memory.dmp

memory/4576-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4576-25-0x0000000002560000-0x000000000257A000-memory.dmp

memory/4576-26-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/4576-27-0x0000000004A40000-0x0000000004A58000-memory.dmp

memory/4576-55-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-53-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-52-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-44-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-38-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-30-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-28-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4576-56-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/4576-57-0x00000000005E0000-0x000000000060D000-memory.dmp

memory/4576-58-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4576-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4576-61-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4576-62-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe

MD5 38378440401179d9e277ad494a4f4eeb
SHA1 144eb4a952172596bf7c72fa97ce8871078bf660
SHA256 0eeb3422962f4117f296317d4bf18e916483d2ce546f6a3ac0200b0da1de1e9d
SHA512 67f76e50f9848eb3950439a4bd05dad780eb0c406476af7001953e6354a5cb7699f89bb08acea401ef5df4734d15a36401013c4cfd295c8ffdcb5d746c067405

memory/2356-67-0x00000000022A0000-0x0000000002308000-memory.dmp

memory/2356-68-0x00000000025B0000-0x0000000002616000-memory.dmp

memory/2356-69-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-76-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-102-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-100-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-98-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-96-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-94-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-92-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-90-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-88-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-86-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-82-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-80-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-78-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-84-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-74-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-72-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-70-0x00000000025B0000-0x0000000002610000-memory.dmp

memory/2356-2211-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/516-2224-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

memory/516-2225-0x0000000007B40000-0x0000000007B46000-memory.dmp

memory/516-2226-0x0000000005DE0000-0x00000000063F8000-memory.dmp

memory/516-2227-0x0000000005910000-0x0000000005A1A000-memory.dmp

memory/516-2228-0x0000000005840000-0x0000000005852000-memory.dmp

memory/516-2229-0x00000000058A0000-0x00000000058DC000-memory.dmp

memory/516-2230-0x0000000005A20000-0x0000000005A6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe

MD5 c52ebada00a59ec1f651a0e9fbcef2eb
SHA1 e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA256 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA512 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2

memory/5200-2235-0x0000000000C70000-0x0000000000CA0000-memory.dmp

memory/5200-2236-0x00000000013B0000-0x00000000013B6000-memory.dmp