Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-znsffszkhm
Target f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17
SHA256 f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17
Tags
healer redline domor discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17

Threat Level: Known bad

The file f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17 was found to be: Known bad.

Malicious Activity Summary

healer redline domor discovery dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:52

Reported

2024-11-04 20:54

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe
PID 3948 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe
PID 3948 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe
PID 4672 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe
PID 4672 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe
PID 4672 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe
PID 4672 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe
PID 4672 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe
PID 4672 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe

"C:\Users\Admin\AppData\Local\Temp\f72b8dc2921964fd12d83716e9dced2334bb52be1697a31560e8562ca8123a17.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587167.exe

MD5 56f3e4bc7a6471688e3402f598a4edae
SHA1 e2941b7a369dc1dbc180ff428a0c2820190efe78
SHA256 5b860622c57dabd0f1fdad9b59fda717403c3051ce0e2df752be53995c787016
SHA512 3793c14a518807062e1b159715fceb18b0b7a55373f6c0ee1e304b792d71dabb8897a378215c2ce74c94737f8b3ae1c2ee4d6b4666d9e2256208213ac7b50a2e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4345561.exe

MD5 b0ca2425d5b3b88178b0d283b1eb1779
SHA1 37975d345f7a6336493acb4868a70b60320723b4
SHA256 1395610a0998694166ffd8523002140102e7274a324fbb7baafe09b7b5b939ae
SHA512 3efb4b2553f10c66678cb6d1ee0eb3e1ee96b04a185c74460aaf9915ba51c53d75b5b1afc80018b3bcfe4fd9326387bbc07fc48ca1a57c34ab004513ed3288e2

memory/3500-14-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

memory/3500-15-0x0000000002190000-0x00000000021AA000-memory.dmp

memory/3500-16-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/3500-19-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/3500-18-0x00000000049B0000-0x00000000049C8000-memory.dmp

memory/3500-17-0x0000000004A00000-0x0000000004FA4000-memory.dmp

memory/3500-20-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/3500-30-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-48-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-46-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-44-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-42-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-40-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-38-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-36-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-34-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-32-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-28-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-26-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-24-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-21-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-22-0x00000000049B0000-0x00000000049C2000-memory.dmp

memory/3500-49-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

memory/3500-50-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/3500-52-0x0000000073E80000-0x0000000074630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6112265.exe

MD5 4774fb96fea225b2ad8a32cec864c387
SHA1 e03fd42ae129c6189b402be1e61ec201608add98
SHA256 8f1c0ea6bc828810b694b89950b51cb3bbeed85fb9dca24ee88f856718bdd5f8
SHA512 75ff5438dca2df9944bbade0ebcba905d2154d9775ed0d9ffd9ad89c567e21f7f36faa544c552380337c7a809e8806dfdcda6be6325e87a74174a3bc8c3d6201

memory/3744-56-0x0000000000E30000-0x0000000000E5E000-memory.dmp

memory/3744-57-0x0000000001940000-0x0000000001946000-memory.dmp

memory/3744-58-0x000000000B280000-0x000000000B898000-memory.dmp

memory/3744-59-0x000000000ADE0000-0x000000000AEEA000-memory.dmp

memory/3744-60-0x000000000AD10000-0x000000000AD22000-memory.dmp

memory/3744-61-0x000000000AD70000-0x000000000ADAC000-memory.dmp

memory/3744-62-0x0000000005110000-0x000000000515C000-memory.dmp