Malware Analysis Report

2025-04-03 14:17

Sample ID 241109-1nnmyatajd
Target 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795
SHA256 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795
Tags
healer redline ramon discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795

Threat Level: Known bad

The file 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795 was found to be: Known bad.

Malicious Activity Summary

healer redline ramon discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:47

Reported

2024-11-09 21:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe
PID 2992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe
PID 2992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe
PID 436 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe
PID 436 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe
PID 436 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe
PID 4840 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe
PID 4840 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe
PID 4840 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe
PID 3060 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe
PID 3060 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe
PID 3060 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe
PID 3060 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe
PID 3060 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe

"C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe

MD5 66fc2fccab41154dd1692cf3dc402f04
SHA1 a7e9d3dca110b58ae9d94d76bed76d027671c55a
SHA256 33ef0d6c87d4300ab29e4bebd2ae6bdfd994153c7c4acec0cb508b9040ae1310
SHA512 b7579c5b6cf9e02025f15e99af5647b8b7403068d6b3de225bb3d48a0e88c9f2610bc9e739f954a166c07a25653fa8d3102d7babf2a0a46d78323829acac0a7c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe

MD5 2b8cdcf379b6154ad54a20da79acf99c
SHA1 6d32cfef1047eb057e65a5dae2a3bec672c9eb75
SHA256 28994a1c971308756dcc57d4a5713a47bcd12d7a67868860bc3b399b7032e2aa
SHA512 74b037fbd607a9a519599433d0898b492ccc4a05b4331599c52727148bf39745bae03057dc00ee5917fb82cb8634a007680c47744ec4e0bba89ffb439e73f814

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe

MD5 906162a64c40ed824ea68f25f2c8f0a3
SHA1 228308df9cff615b9be308f064f9b5b18193c7e1
SHA256 2ecc945d7ae3c7e5ccff80223284ce9c637a46545556aae43ca4a8d88c801655
SHA512 c87ee814dc7f3f38ddc5eb1f2ba365081e18351dee54dbafd416ae535e1e6ef76120127b323787ab7ddd90d388a10891443753f79ce8d17f02a81db32ac791c6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe

MD5 76989d4a2115b82a2049cdb33100157a
SHA1 a88856b86bd4d4740012517c0fbfdebaccebe04a
SHA256 fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4
SHA512 19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

memory/2396-28-0x0000000000270000-0x000000000027A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe

MD5 f3855c4eadab09dffd655f592be5e9fb
SHA1 59f051e8d1dfd6784e4a2f84b3acf535b814009d
SHA256 5f6c4ea9d0babf1692ddbdd16e61b0b70c3e3776ad1673414663104d1ce536db
SHA512 2f4b3f7d9959319f4fa60bb7624465afd73f9c8e0665f4563fa04e2f5704b957d58975d9758f1d1b30bb1f02c7fa8515b2a2f8f80084d9a120142dae0fc2c4a1

memory/4976-34-0x0000000004AF0000-0x0000000004B36000-memory.dmp

memory/4976-35-0x0000000007350000-0x00000000078F4000-memory.dmp

memory/4976-36-0x0000000004CE0000-0x0000000004D24000-memory.dmp

memory/4976-38-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-49-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-100-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-98-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-94-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-92-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-90-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-88-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-86-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-85-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-82-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-80-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-76-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-74-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-72-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-71-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-69-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-66-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-64-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-62-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-60-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-58-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-54-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-52-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-50-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-46-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-44-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-42-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-40-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-96-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-78-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-56-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-37-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

memory/4976-945-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/4976-943-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/4976-944-0x0000000007F20000-0x000000000802A000-memory.dmp

memory/4976-946-0x0000000008030000-0x000000000806C000-memory.dmp

memory/4976-947-0x0000000008170000-0x00000000081BC000-memory.dmp