Malware Analysis Report

2025-04-03 14:18

Sample ID 241109-1mptlsskcz
Target aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0
SHA256 aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0

Threat Level: Known bad

The file aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:46

Reported

2024-11-09 21:48

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe
PID 4296 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe
PID 4296 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe
PID 3116 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe
PID 3116 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe
PID 3116 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe
PID 1608 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe
PID 2688 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe
PID 2688 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe
PID 2688 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe
PID 4068 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe
PID 4068 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe
PID 4068 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe
PID 4068 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe
PID 4068 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe

"C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe

MD5 6c1fc4e11b2e5f3830374bd4c888aee7
SHA1 e955ea2936fe82a74498fe87d8c2d78765a500d2
SHA256 c92862336197bdd6ab684d25f3009015a4cb7771d3582bea2636fe2d01b2916f
SHA512 93c4d3e0809f6f7f9cb8645788f7c1e5b252fb2319e0b68a87e53b3430622fefb65bd33084fc63266666f2fb70a2dfded1494300d5fde5484743e62d134d1998

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe

MD5 c3cfc15ca13a3c8b67788c1b636675d5
SHA1 eaa612b228ae629c1b23bab4b89831ac7c67e1b9
SHA256 69c87a4719943a32794f61ed63b2a7c6340808bc4db639b55bfd65d377781d48
SHA512 c2d90e3b6b76f3b2b23ce2db38eea21c6d0a9c0e455fb1394b9358f5eabfdc613161afc6368bb0b5f1d7031e6749ef46ee4ba27fa739ba3a9f0949c751bac1bf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe

MD5 b0912b2e5df619683116c974d74b48b4
SHA1 a617da6cacac58fa7fd7878c85834f27b37c9fa7
SHA256 5e9338b90316c66a200f6b51342f9cb89c8ba4b71fea90bf902228115e1437af
SHA512 443cb795bace6782aa438972134664002d99a97d462e732711f7db2a487adb6c4d92fa9cc09d67f7cd631d2b40c32547c24e5e9545ec750607f471d349e03432

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe

MD5 5ed4826a261478b64307fa31f44baf6d
SHA1 69928fa8e89b424e7a7014fc8dc776a96b193b29
SHA256 90e6dd2bf491996bcffeae35f264e60a77ef53bf441c43914cfa9bafa4adc658
SHA512 382e63f80bbffad21a8023c5b1cc3c101f5cbb46c7c12b2b3f2e962857391fff1beb200e7c7b658f13f0a227b2db7cc3911f53506d0dbc6e2951777b82d2b67b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3256-35-0x0000000000080000-0x000000000008A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe

MD5 f6ef33ae56ea76020ddb3bb26512e59e
SHA1 86a1031d48890b80b7bda9020cefd0eb0a1fe5a9
SHA256 aaad047c831fa83f3de78ba7fc938adbc8f59d0d830098bfaf0eb79399ea55ad
SHA512 3273af9534a3805a1787c8ce08e8d44ff771a4617c107dcce30d9c92d2ab7f3ca17b5b35ec18fa8a140abc44135ff6ec5b050392863ce864cc214d7926d8b2b9

memory/4224-41-0x0000000002900000-0x000000000293C000-memory.dmp

memory/4224-42-0x0000000004E90000-0x0000000005434000-memory.dmp

memory/4224-43-0x0000000004E30000-0x0000000004E6A000-memory.dmp

memory/4224-107-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-105-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-103-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-101-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-99-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-838-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/4224-839-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4224-837-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4224-836-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/4224-840-0x0000000002740000-0x000000000278C000-memory.dmp

memory/4224-97-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-93-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-91-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-89-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-87-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-85-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-83-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-81-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-79-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-77-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-75-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-71-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-70-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-67-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-65-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-63-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-61-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-59-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-57-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-55-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-53-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-51-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-49-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-47-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-95-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-73-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-45-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4224-44-0x0000000004E30000-0x0000000004E65000-memory.dmp