Malware Analysis Report

2025-01-23 05:57

Sample ID 241108-lnbaaayrfv
Target f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6
SHA256 f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6
Tags
healer redline diro lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6

Threat Level: Known bad

The file f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6 was found to be: Known bad.

Malicious Activity Summary

healer redline diro lada discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 09:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 09:40

Reported

2024-11-08 09:42

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe
PID 1956 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe
PID 1956 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe
PID 4364 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe
PID 4364 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe
PID 4364 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe
PID 2340 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe
PID 2340 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe
PID 2300 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe C:\Windows\Temp\1.exe
PID 2300 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe C:\Windows\Temp\1.exe
PID 2300 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe C:\Windows\Temp\1.exe
PID 4364 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe
PID 4364 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe
PID 4364 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe

"C:\Users\Admin\AppData\Local\Temp\f9f6d8f7effbb170ce5455cb0dba05d5e1575169d26520029cff2ae9e0f0cbc6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2300 -ip 2300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikN5050.exe

MD5 56e244ca1e00be66b99fa69f0676b711
SHA1 93e4a904f2f763eea4b2ab5c7933ba211519f51f
SHA256 7270daab1be1016387d59aa0551f70c4353eb4526862f38f8644e67690eafaaf
SHA512 6d0076571bda77b99a24b02e201198e802bbc6be0fba5a821617e06321208841b1136de73a3ccb0cfdaa933b0c1fd6f4a09dbcb07edafd7d7040ee5139d75267

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihP0880.exe

MD5 ffb27a38412f258c500e637c4843f1c2
SHA1 763193db9327480cdcbc2d80dbfed8d95cce266a
SHA256 7e737c7fef570d948fa978d00cfdeafcf167b70ddb16b4b330bfa8e4b1db0dab
SHA512 1c660f7e151a71d30b006f8603871973fb17cef27d3f455db45ab8518cf762524b76014215a8492ac41307d843560ae88fdece02512c90d893a3b6a302478121

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it606859.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4940-21-0x00007FFAAFA73000-0x00007FFAAFA75000-memory.dmp

memory/4940-22-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/4940-23-0x00007FFAAFA73000-0x00007FFAAFA75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr512344.exe

MD5 4af31632ee6767421b24590cb1925eb3
SHA1 9d6fc6c68ae976b4127f283dd24a4bd93ca10c16
SHA256 724b278998dfa70d625ac455d262f9d11161767435e37493b2790ce09d026a8e
SHA512 33f93c10efaa2b4954129168fc3e315315564dd51b1382b9d37e207a3218138d8149da4feb798da5b260f3a1d7ea0d8b784993c965b8964b98a00d371ef0d5a2

memory/2300-29-0x00000000026F0000-0x0000000002758000-memory.dmp

memory/2300-30-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/2300-31-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/2300-43-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-95-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-93-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-91-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-89-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-87-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-85-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-83-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-79-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-77-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-75-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-71-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-69-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-67-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-65-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-63-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-61-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-59-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-57-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-53-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-51-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-49-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-47-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-45-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-41-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-39-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-81-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-73-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-37-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-35-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-55-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-33-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-32-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2300-2174-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/1584-2187-0x0000000000D80000-0x0000000000DAE000-memory.dmp

memory/1584-2188-0x0000000002DB0000-0x0000000002DB6000-memory.dmp

memory/1584-2189-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/1584-2190-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/1584-2191-0x0000000005700000-0x0000000005712000-memory.dmp

memory/1584-2192-0x0000000005760000-0x000000000579C000-memory.dmp

memory/1584-2193-0x00000000058E0000-0x000000000592C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294765.exe

MD5 76f77063ff3283afe2e34aab239cfba5
SHA1 8d7dfde13be2e9cddda863c4b6cd55c3b89727b3
SHA256 423e55a4cf788a78d7493bb8f4c7831a5323e9ea6c79a784f23f4add92b44b33
SHA512 1cb57962c3defaf171b4fd166e35553f0ea6c50a2114621a324b41a6a90effb9610b5f3f314cf01cc372f1e1d661c6013a17918202610140b0af32a311fc6b3b

memory/6124-2198-0x0000000000630000-0x0000000000660000-memory.dmp

memory/6124-2199-0x0000000004E50000-0x0000000004E56000-memory.dmp