Malware Analysis Report

2025-08-05 10:16

Sample ID 241109-fxj1wsxpat
Target b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2
SHA256 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2

Threat Level: Known bad

The file b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2 was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Redline family

Healer family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:15

Reported

2024-11-09 05:17

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe
PID 372 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe
PID 372 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe
PID 4988 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe
PID 4988 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe
PID 4988 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe
PID 4988 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe
PID 4988 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe
PID 4988 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe
PID 1424 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe C:\Windows\Temp\1.exe
PID 1424 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe C:\Windows\Temp\1.exe
PID 1424 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe C:\Windows\Temp\1.exe
PID 372 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe
PID 372 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe
PID 372 wrote to memory of 5856 N/A C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe

"C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1376 -ip 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe

MD5 60abf9e419721a7682fc787f34db8b7f
SHA1 4a74f6f9b4623920ba2dfe7ce5cb80445e4e4a86
SHA256 da82603941288fe57a69499c4e06655e3ca7be494b41915cdc5714bdcb86810d
SHA512 64013c6247d4b1d1a9e5c89f73ac67ad58a99490ee94ab075a722e4d201727936d8cf802eab32608e0237c009d59838082bd79a4e6414ee3f013518c3a170d3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe

MD5 ae4d5c598d757fc26e0924f6c8727c76
SHA1 451c2eb8671db4729af05de661f582965c88d810
SHA256 07d883fb6aa30562ab9d0503bdbd91e6bf91872eae45e18ed868664a4659446d
SHA512 d8448ba5e462cffb669d1c152ec2e345848a5251a48c8dd7f3b388e6d2078194a2f0f145de26097e9effed6cafc80f011684cb788ecceea0c2753072eb43d0ee

memory/1376-15-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/1376-16-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/1376-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1376-18-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1376-19-0x00000000007A0000-0x00000000007BA000-memory.dmp

memory/1376-20-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/1376-21-0x0000000002340000-0x0000000002358000-memory.dmp

memory/1376-33-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-47-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-45-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-43-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-41-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-39-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-37-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-35-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-31-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-49-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-27-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-25-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-23-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-22-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-29-0x0000000002340000-0x0000000002352000-memory.dmp

memory/1376-50-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/1376-51-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/1376-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1376-55-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1376-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe

MD5 2a87622297c16d63a425839e53cfc29b
SHA1 2bf35e9f7c2c50699dc7d7da98714478a895c2c6
SHA256 30ef6bac870ed2a351aa857702c6555d415f844d346c933a2f32e3b5cb227385
SHA512 fe08bdb42ad71d499bff95eff886dedacaee0f483282526455ae37cff331607e09754cb0e02ac78069cf9e010201febcd8adf7d6275b433c7ea0b6a8d5f079ee

memory/1424-61-0x0000000002400000-0x0000000002466000-memory.dmp

memory/1424-62-0x00000000025D0000-0x0000000002636000-memory.dmp

memory/1424-64-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-74-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-96-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-94-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-92-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-90-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-88-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-86-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-84-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-82-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-78-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-76-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-72-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-70-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-68-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-66-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-80-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-63-0x00000000025D0000-0x000000000262F000-memory.dmp

memory/1424-2143-0x0000000004CF0000-0x0000000004D22000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5672-2156-0x0000000000B60000-0x0000000000B90000-memory.dmp

memory/5672-2157-0x0000000005340000-0x0000000005346000-memory.dmp

memory/5672-2158-0x0000000005AC0000-0x00000000060D8000-memory.dmp

memory/5672-2159-0x00000000055B0000-0x00000000056BA000-memory.dmp

memory/5672-2160-0x00000000054E0000-0x00000000054F2000-memory.dmp

memory/5672-2161-0x0000000005540000-0x000000000557C000-memory.dmp

memory/5672-2162-0x00000000056C0000-0x000000000570C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe

MD5 effd9088e5a4c0915673ebdd00d85e7d
SHA1 412f90d32c89e8193371c4c04a0fc273a8b77574
SHA256 cad8e1a21485522122095ddabcb37e694c968449c5813f92ffa634f8bccbd47b
SHA512 584ad7bb23c1a9f423d737978c787f376d4ca2a3f9fadd39a660603f0e624b3b4d0f1734f5e27f06d3e99188634bbfba454ce43e813ed829fd2518e360573c96

memory/5856-2167-0x00000000000C0000-0x00000000000EE000-memory.dmp

memory/5856-2168-0x00000000049E0000-0x00000000049E6000-memory.dmp