Malware Analysis Report

2025-04-13 23:56

Sample ID 241104-zmtxwswnez
Target 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f
SHA256 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f

Threat Level: Known bad

The file 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:50

Reported

2024-11-04 20:53

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe
PID 4568 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe
PID 4568 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe
PID 1476 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe
PID 1476 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe
PID 1476 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe
PID 1644 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe
PID 1644 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe
PID 1644 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe
PID 1644 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe
PID 1644 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe
PID 1644 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe

"C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe

MD5 7b8904205ff2bd06e934aac1c2caa5c4
SHA1 3450333d5597f5a51cf15ca45169df25c50ee655
SHA256 b8c1ac6d3f752ae9590988a1ac0f4415dd3d83ded6a505bf6fe2341e946b82c8
SHA512 1142f5590b6da15df48d9af982149e773c3f61886c4b33384de58a9f50ef8c4a4c1f5d71642a0cb092a590a6b7931282b96cd835628827b425d0d562f91763a6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe

MD5 a59d56c9efa4f4b56a1b12ca3c956566
SHA1 a0cd1b68a122033557191294155c657eb20d7df3
SHA256 59e008dbdb5351cf910c38cf7f97f449698820dd8ec219e73308ee4577a7696a
SHA512 7e1c5620ac7b5d385d6adf9aa7101e27c578b94c02619fe948986e42536f52fec5849e883276e9362236d8b19969d58368285961c0db220aba446a75a28a762b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe

MD5 59d57a1e156f3c9ef62107bd20cfc060
SHA1 d5225d4625e8d2bfa4cf8dfc758f1037e817a7a6
SHA256 b7c02a9cec3352314f28c0ec3613392780e517321d8d725583b6a551defda06e
SHA512 67f507db3e39c505825cf273bc14d2bf48dbb5fde888817eff80240c94b61ab3e1dbded4ab7e389964e1985d992d0eb24b04e26fe112448f3d2f3542c46f4ec9

memory/4584-22-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/4584-23-0x0000000002800000-0x000000000281A000-memory.dmp

memory/4584-24-0x0000000005090000-0x0000000005634000-memory.dmp

memory/4584-25-0x0000000004EE0000-0x0000000004EF8000-memory.dmp

memory/4584-26-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-53-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-51-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-49-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-47-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-45-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-43-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-41-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-39-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-37-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-35-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-33-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-31-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-29-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-27-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/4584-55-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/4584-54-0x0000000000400000-0x000000000080A000-memory.dmp

memory/4584-57-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe

MD5 888fec8a1985d6c2ffe617e12329d330
SHA1 9268f1b40c875ff57c41b6ee8170bb17e51df2c3
SHA256 971714e3bd11cfecf229b171dd1d7e2214c0f0eb63020903bb6f4d6e9734d20d
SHA512 7763e23ed7ed276466738b79e4c5266fc9a1e54e3233323b63cd16adbb18d89654ca717ed2f65ca91503b8ca7419e9de304398f2986976aa523e990e4ce97c6f

memory/4204-62-0x0000000004D70000-0x0000000004DAC000-memory.dmp

memory/4204-63-0x0000000004E30000-0x0000000004E6A000-memory.dmp

memory/4204-65-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-73-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-97-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-95-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-93-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-91-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-89-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-87-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-83-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-81-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-79-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-77-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-75-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-71-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-69-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-67-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-85-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-64-0x0000000004E30000-0x0000000004E65000-memory.dmp

memory/4204-856-0x0000000007920000-0x0000000007F38000-memory.dmp

memory/4204-857-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4204-858-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/4204-859-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4204-860-0x0000000002860000-0x00000000028AC000-memory.dmp