Malware Analysis Report

2025-01-23 07:37

Sample ID 241104-q8jjlszmf1
Target df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d
SHA256 df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d

Threat Level: Known bad

The file df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Healer

Redline family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:55

Reported

2024-11-04 13:58

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe
PID 4992 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe
PID 4992 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe
PID 4464 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe
PID 4464 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe
PID 4464 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe
PID 4464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe
PID 4464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe
PID 4464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe

"C:\Users\Admin\AppData\Local\Temp\df09d7ff335d4a89b812adc1914e3095257d5ff3264a4112cdcd9f4226a48a1d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3224 -ip 3224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890821.exe

MD5 cd200a3cc026a1deca0d8971a3a1a940
SHA1 991ea486a60a46e1a3733f5b17e056d781e3a6ea
SHA256 1461ee9bb42dd8a0fd15e9ee17f5291d344b9b46737c04e67de1835a6e1fec70
SHA512 8e8d98b9dc02e2a32ac6ee01bfc5ad14532ee497e3d5083d684a4775eb519c0dd15db23146f6ae8f621dd6cffb7cfaa8b5b3c66aadd2e9a2b4482801a3849454

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9567.exe

MD5 4a742c9a3b495a710e3eea2c288798bf
SHA1 b311430cef13468c07812695f90356b0930919c4
SHA256 1ccda4689c65196d9b92985b611acda71e654ec0cd1fdc4fccb7f5fbfd5e0a44
SHA512 dcb063acf9fc568ffa4f49a7e601ad1d7919143dead36d3aa662bd2999c1104b68c37fcabe59ebaeae1f0ac89de9d3c4617b8e50710f73243bec0b6c011d91dc

memory/3224-16-0x0000000002110000-0x000000000213D000-memory.dmp

memory/3224-15-0x0000000000670000-0x0000000000770000-memory.dmp

memory/3224-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3224-18-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3224-19-0x0000000002380000-0x000000000239A000-memory.dmp

memory/3224-20-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/3224-21-0x0000000002430000-0x0000000002448000-memory.dmp

memory/3224-49-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-47-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-45-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-41-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-39-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-37-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-36-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-33-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-31-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-29-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-27-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-25-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-23-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-22-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-43-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3224-50-0x0000000000670000-0x0000000000770000-memory.dmp

memory/3224-51-0x0000000002110000-0x000000000213D000-memory.dmp

memory/3224-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3224-55-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3224-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3748.exe

MD5 dca4db44d2d0136c87f7f33ab22b3eed
SHA1 9b4dc917781ba218786ec489cc1d886729204111
SHA256 1d3e55552c63e914eb30481968058548b0190124aec24582c9dd280c2dc0b097
SHA512 b64786c3dcc9dd82daa7f158095767f4758ccf98ca218cc01ddfac93d5f7db2f141aea779daaf40febe1ff52a9615129c84dd800cdf355dbbbf5e80ae5aab920

memory/2480-61-0x0000000002400000-0x0000000002446000-memory.dmp

memory/2480-62-0x0000000002570000-0x00000000025B4000-memory.dmp

memory/2480-64-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-75-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-96-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-94-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-90-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-88-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-86-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-84-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-82-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-78-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-76-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-72-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-70-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-69-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-66-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-92-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-80-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-63-0x0000000002570000-0x00000000025AF000-memory.dmp

memory/2480-969-0x00000000052C0000-0x00000000058D8000-memory.dmp

memory/2480-970-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

memory/2480-971-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/2480-972-0x0000000005900000-0x000000000593C000-memory.dmp

memory/2480-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp