Malware Analysis Report

2025-03-15 01:43

Sample ID 230910-kcvzwafh23
Target 4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87
SHA256 4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87

Threat Level: Known bad

The file 4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Healer

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:27

Reported

2023-09-10 08:30

Platform

win10v2004-20230831-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4460 set thread context of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
PID 1352 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
PID 1352 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
PID 452 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
PID 452 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
PID 452 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
PID 4716 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
PID 4716 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
PID 4716 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe
PID 4716 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe
PID 4716 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe

"C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.153.27.67.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe

MD5 a9b7ed2e731d855628624c2277a9d50f
SHA1 596f433963359f0ca8ffac144866f4b10de69a19
SHA256 ff6dbc33600cf81f6bacbef7be2acc24041e250401d9acfe44ecdb54d6e69d34
SHA512 bd3c2b4add9eb72153defd449c38c6c9b78ec7f47189d78c50036fe1c44d0b07262b1312fa6c405db57e3100fa84433a37bda2dd3aa1fc279d37971cf5438558

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe

MD5 a9b7ed2e731d855628624c2277a9d50f
SHA1 596f433963359f0ca8ffac144866f4b10de69a19
SHA256 ff6dbc33600cf81f6bacbef7be2acc24041e250401d9acfe44ecdb54d6e69d34
SHA512 bd3c2b4add9eb72153defd449c38c6c9b78ec7f47189d78c50036fe1c44d0b07262b1312fa6c405db57e3100fa84433a37bda2dd3aa1fc279d37971cf5438558

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe

MD5 edda054dc43ca5835c8c6a807e5cc2a6
SHA1 5ed759b798d5121ec9c21fcefa1c205752138ade
SHA256 cfdd7cccd30b3d5c98b4ecd177a04e0a270732f8b2af084006c93c412bf02bb5
SHA512 ee9d7ef7e7b6ca78c1408ba8b8143613e745d42764eaf133ae451af6bf78ee2bb0d2f7bbbfb8c337e21bc416288bf6567b19747e9cb133183c498360fdb7b686

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe

MD5 edda054dc43ca5835c8c6a807e5cc2a6
SHA1 5ed759b798d5121ec9c21fcefa1c205752138ade
SHA256 cfdd7cccd30b3d5c98b4ecd177a04e0a270732f8b2af084006c93c412bf02bb5
SHA512 ee9d7ef7e7b6ca78c1408ba8b8143613e745d42764eaf133ae451af6bf78ee2bb0d2f7bbbfb8c337e21bc416288bf6567b19747e9cb133183c498360fdb7b686

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe

MD5 a389641629f09dcc3481225050a4f97e
SHA1 8a362221255a497770d8e6e2eb6dd99dda4603c0
SHA256 af0666782654041ba087b6bd06d54cdf1a054fb8a9023bfd268a9300e3424dad
SHA512 747017ad690ad4fc24a374f1d988310c58657c0b17f23d0f57fe7706d467e4f255414b7fe281f96217f0cb17f59875fb2b132b63fbe2bf0bec03fe5f153ed623

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe

MD5 a389641629f09dcc3481225050a4f97e
SHA1 8a362221255a497770d8e6e2eb6dd99dda4603c0
SHA256 af0666782654041ba087b6bd06d54cdf1a054fb8a9023bfd268a9300e3424dad
SHA512 747017ad690ad4fc24a374f1d988310c58657c0b17f23d0f57fe7706d467e4f255414b7fe281f96217f0cb17f59875fb2b132b63fbe2bf0bec03fe5f153ed623

memory/4472-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4472-22-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe

MD5 431d7f2a70721cb4fd5db6ecbbdd19ef
SHA1 588099712cd56e81fa755215c6c148b77949887e
SHA256 105f6a081b1ed60160317855f249951ee4f1b5a345fd4981f3e5f69d88acc9be
SHA512 bbdeb5ae71a7e3ef5e64d8ed653eb7fee03c2dcfab2c654731ec8f1ba88fe491a055dfd566965b551b24dd91551ca0d9f31e5f8b69cf8a52767fcb627a1af5df

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe

MD5 431d7f2a70721cb4fd5db6ecbbdd19ef
SHA1 588099712cd56e81fa755215c6c148b77949887e
SHA256 105f6a081b1ed60160317855f249951ee4f1b5a345fd4981f3e5f69d88acc9be
SHA512 bbdeb5ae71a7e3ef5e64d8ed653eb7fee03c2dcfab2c654731ec8f1ba88fe491a055dfd566965b551b24dd91551ca0d9f31e5f8b69cf8a52767fcb627a1af5df

memory/2504-26-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/2504-27-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2504-28-0x0000000005650000-0x0000000005C68000-memory.dmp

memory/2504-29-0x0000000005140000-0x000000000524A000-memory.dmp

memory/2504-31-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2504-30-0x0000000005080000-0x0000000005092000-memory.dmp

memory/2504-32-0x00000000050E0000-0x000000000511C000-memory.dmp

memory/4472-33-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/4472-35-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2504-36-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2504-37-0x0000000004E20000-0x0000000004E30000-memory.dmp