Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-zml72swnew
Target e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e
SHA256 e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e

Threat Level: Known bad

The file e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:50

Reported

2024-11-04 20:52

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe
PID 4948 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe
PID 4948 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe
PID 220 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe
PID 220 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe
PID 220 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe
PID 220 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe
PID 220 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe
PID 220 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe

"C:\Users\Admin\AppData\Local\Temp\e4eef19246b37580b9e3cee91138ee354587df3977ae371ba990a86cf3436c4e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1056 -ip 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un599309.exe

MD5 8193bc63c5cfb159f28b57c4a2d77904
SHA1 2ac678ec04c8e26935b0ec85fed1a976df43ba2c
SHA256 eddda6633f61d2f7d91d31262f1ed25fdb40458a51e4a6e1a4eb20d7158e44db
SHA512 e30834fea0155968f89259e4ade5162731703634d1546706a2a6a9f0b1ab9793cd8802b6d29b19e7d70ad8a254a90043a919cd8ade30c0a0041b20c8e2b893f3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9605.exe

MD5 11776ebb00ce0417c5ca25138603debc
SHA1 76b9be4392390ee65452d122b08ed33d2b25b5f1
SHA256 00e52267def78526ac298d2161f8c50ebe821f6fe33808a155d0ae6319295009
SHA512 1917151ee80b61d0e5882138d7f48ed8516d96e5f3be58b5964fdc0786d9ee40261a8d4ecb25bb4cd3ec8099df7a23778c3dfea8fad7a853aea08260573646cf

memory/1056-15-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/1056-16-0x0000000002C70000-0x0000000002C9D000-memory.dmp

memory/1056-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1056-18-0x0000000004D40000-0x0000000004D5A000-memory.dmp

memory/1056-19-0x00000000073F0000-0x0000000007994000-memory.dmp

memory/1056-20-0x0000000007260000-0x0000000007278000-memory.dmp

memory/1056-44-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-48-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-46-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-42-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-40-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-38-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-36-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-34-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-32-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-30-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-28-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-26-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-24-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-22-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-21-0x0000000007260000-0x0000000007272000-memory.dmp

memory/1056-49-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/1056-50-0x0000000002C70000-0x0000000002C9D000-memory.dmp

memory/1056-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1056-51-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/1056-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4440.exe

MD5 b78adf57ebe721d4756d6db4c85c1c76
SHA1 38ecd125094bb2f8c9b81666a6c80c42a720c49a
SHA256 a847f283dec48c92df51ef26ac55b197e5c1f946f1cc6851d44a3c76802acc8a
SHA512 ba56669ba6e25cc7da9e1f1b21243b329a44d44d5d711e6303882c86269f24c1a13edc433c160deb4b7d75f383c382f9ff9be22c8806524ea0808aa63c5f243a

memory/1056-54-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/2836-60-0x0000000004C80000-0x0000000004CC6000-memory.dmp

memory/2836-61-0x0000000007190000-0x00000000071D4000-memory.dmp

memory/2836-75-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-85-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-95-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-93-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-91-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-89-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-87-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-83-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-81-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-79-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-77-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-73-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-71-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-69-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-67-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-65-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-63-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-62-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2836-968-0x0000000007920000-0x0000000007F38000-memory.dmp

memory/2836-969-0x0000000007F40000-0x000000000804A000-memory.dmp

memory/2836-970-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/2836-971-0x00000000072E0000-0x000000000731C000-memory.dmp

memory/2836-972-0x0000000008150000-0x000000000819C000-memory.dmp