Malware Analysis Report

2025-01-23 05:57

Sample ID 241126-vzs4xaxmcq
Target ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe
SHA256 ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057
Tags
healer redline lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057

Threat Level: Known bad

The file ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline lada discovery dropper evasion infostealer persistence trojan

Healer family

Detects Healer an antivirus disabler dropper

Healer

RedLine

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 17:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 17:26

Reported

2024-11-26 17:28

Platform

win10v2004-20241007-en

Max time kernel

104s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe
PID 4776 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe
PID 4776 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe
PID 3656 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe
PID 3656 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe
PID 3656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe
PID 3656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe
PID 3656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe
PID 4776 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe
PID 4776 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe
PID 4776 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe
PID 2556 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe C:\Windows\Temp\1.exe
PID 2556 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe C:\Windows\Temp\1.exe
PID 2556 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe C:\Windows\Temp\1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe

"C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2512 -ip 2512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2556 -ip 2556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1180

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe

MD5 a7d3b6d4df89ebc14203e4c61aa2813a
SHA1 14e56aa187b9ede93de67d5ad7361094639c2442
SHA256 81153ae921e74bae5e00374c897f8091339bf0399b9582e6b2b3d48ce9184138
SHA512 087901a4c2f70fc4fcbd881e022b029c5ce5f7881edf69c84dadafc706cfc855013248f4640866817a4cc3c0e595947ac70274f7ef16b9a05071003fb07cadc0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4188-14-0x00007FFD13EA3000-0x00007FFD13EA5000-memory.dmp

memory/4188-15-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/4188-16-0x00007FFD13EA3000-0x00007FFD13EA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe

MD5 8dcc2b4cad499ef09ff99e5872802979
SHA1 2ce03ea58a2d64ab502a35f46b945bbe4d5d07f5
SHA256 703295c0a45d9b1852f43c4aec6edc92f5f4b56b00c12929fc7db35b721e20ac
SHA512 bd1c6b62c6f4e49adca7be28295c018a06fcc1367b20cabd95f1b545476f509a53f73d6422145daef0a657baaa35d0f6617dcc3aed0b76752f7126998c14cfee

memory/2512-22-0x0000000002080000-0x000000000209A000-memory.dmp

memory/2512-23-0x0000000004C40000-0x00000000051E4000-memory.dmp

memory/2512-24-0x00000000024F0000-0x0000000002508000-memory.dmp

memory/2512-25-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-34-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-52-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-50-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-48-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-46-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-44-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-42-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-40-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-38-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-36-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-32-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-30-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-28-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-26-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/2512-53-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2512-55-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe

MD5 92cfee62f6fd650245941f7b4dfc7e31
SHA1 d680767c772c44534aef7faf24ccb0e48a3dae68
SHA256 5552ff3098a104a61691cc1b1440e835bd2280c3e569ed7c99e9e455adc8807b
SHA512 a5ada28765b8ee88cfbd15011483ab4b2eb1ef9c134c36c3cbc2aa2597620cd33afa7be797698a3b9fe3368ba010c42105034d027cc0485a65cc17b026c89522

memory/2556-60-0x0000000004BC0000-0x0000000004C28000-memory.dmp

memory/2556-61-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/2556-63-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-81-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-95-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-93-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-91-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-87-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-86-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-83-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-80-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-77-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-75-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-73-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-71-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-69-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-67-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-65-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-89-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-62-0x00000000051E0000-0x0000000005240000-memory.dmp

memory/2556-2204-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/6132-2217-0x0000000000870000-0x000000000089E000-memory.dmp

memory/6132-2218-0x0000000004F90000-0x0000000004F96000-memory.dmp

memory/6132-2219-0x000000000ABE0000-0x000000000B1F8000-memory.dmp

memory/6132-2220-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

memory/6132-2221-0x000000000A610000-0x000000000A622000-memory.dmp

memory/6132-2222-0x000000000A670000-0x000000000A6AC000-memory.dmp

memory/6132-2224-0x00000000029F0000-0x0000000002A3C000-memory.dmp