Malware Analysis Report

2025-04-03 14:18

Sample ID 241109-1nm2eatalm
Target ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993
SHA256 ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993
Tags
healer redline morty discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993

Threat Level: Known bad

The file ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993 was found to be: Known bad.

Malicious Activity Summary

healer redline morty discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:47

Reported

2024-11-09 21:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe
PID 3768 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe
PID 3768 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe
PID 2276 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe
PID 2276 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe
PID 2276 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe
PID 2276 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe
PID 2276 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe
PID 2276 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe

"C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe

MD5 0f7d47a0299def03ca3ef88b86ed9b0c
SHA1 47e7fcb6b2b170b1293e164d96b8f7b9e388d93b
SHA256 54a3fde7e46d1272a10e4cd5afc50c2617b54df80e0c056c3efd1be38c49469d
SHA512 00f3841c6b96d351a73cff9bb4b9262c8b1be97be8f707749e2b1d84b3361f8f3ba4fec80a03d5feae2efa47e3ea232eba390868fdf1b0d63d731480a489611b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe

MD5 6d735b881e688fdad871d365b9658884
SHA1 254805a6938659202acd6ad816aa831b1c9b8aea
SHA256 e22287fb4c517a7aff4aa45c9167e5ff3d75cd6f388873ec50737ccef98f044c
SHA512 daf25fc101f8ca17f2a78660290f71206032e740736c15f133033fca39c07171ea0191bc21ee3880deae731d57de3ad3263225f96d946f8aad3715f0281d425d

memory/1376-14-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/1376-15-0x00000000022E0000-0x00000000022FA000-memory.dmp

memory/1376-16-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/1376-17-0x0000000004C70000-0x0000000005214000-memory.dmp

memory/1376-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/1376-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-47-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/1376-48-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/1376-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/1376-49-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/1376-50-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/1376-52-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe

MD5 31a1d5fc103ed9748d799939a341d64d
SHA1 d353f0437ebf301fec4eb0d4325720c834b0a7f4
SHA256 449cf4bf7bae17b69f23caa3686b66fb65f637ccae279860906bfebc23f99b05
SHA512 46c72d5c51224eb2f2c6c111cd04dc5151c1782e72d886697224c889078824afc97acd188f9aec83afe6bb3a26c6798c1fbf271bf02f23fdf6bd6bfb2706068a

memory/3516-56-0x0000000000E10000-0x0000000000E3E000-memory.dmp

memory/3516-57-0x00000000055F0000-0x00000000055F6000-memory.dmp

memory/3516-58-0x0000000005E10000-0x0000000006428000-memory.dmp

memory/3516-59-0x0000000005900000-0x0000000005A0A000-memory.dmp

memory/3516-60-0x0000000005680000-0x0000000005692000-memory.dmp

memory/3516-61-0x00000000057F0000-0x000000000582C000-memory.dmp

memory/3516-62-0x0000000005840000-0x000000000588C000-memory.dmp