Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-eb7dmazkdm
Target a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21
SHA256 a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21

Threat Level: Known bad

The file a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:47

Reported

2024-11-09 03:49

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe
PID 1968 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe
PID 1968 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe
PID 1548 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe
PID 1548 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe
PID 1548 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe
PID 1548 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe
PID 1548 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe
PID 1548 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe

"C:\Users\Admin\AppData\Local\Temp\a7f387c0f2574f8663005de7101e429305e39117ca84a4246fcd0f93541bba21.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3504 -ip 3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880018.exe

MD5 de3c2c72336d1c423e2d460446007de3
SHA1 48f91ed28921f83b807469060694a559bf94cdae
SHA256 babcda7c3e32d3f2f9ceb5bfcc29294475a5529afed39fa1cbcc0b619a21aff9
SHA512 094dd1c765a88df2e3f54f12b84b355feb1edb6dbb39cfc27345c20041f778b57df4f49cdb2db4e916451df7ca73c49781df473566c120a9857a7733ecca97a7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr953577.exe

MD5 44328a49e6eb8384e35adfa3e19b9495
SHA1 b45ee412603a3b5d7fe93491db746a1c8acba59b
SHA256 61f871c0542a8fcc6ea81fc869d95fbae3af50dc87cde48326a99c24d952fb42
SHA512 5c820fa684ed83440eb91a139e05101dbd5113eb7bf844a0e013d2561b56acf3d49ed4de89a5ac2599bcd7664ec590e7d7b898a2bcd34fdc6383091114e1a0df

memory/3504-15-0x0000000002F30000-0x0000000003030000-memory.dmp

memory/3504-16-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/3504-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3504-18-0x0000000002F00000-0x0000000002F1A000-memory.dmp

memory/3504-19-0x00000000072A0000-0x0000000007844000-memory.dmp

memory/3504-20-0x0000000004E10000-0x0000000004E28000-memory.dmp

memory/3504-22-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-48-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-44-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-42-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-41-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-38-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-37-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-34-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-33-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-30-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-28-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-26-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-24-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-21-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-46-0x0000000004E10000-0x0000000004E22000-memory.dmp

memory/3504-49-0x0000000002F30000-0x0000000003030000-memory.dmp

memory/3504-51-0x0000000002C90000-0x0000000002CBD000-memory.dmp

memory/3504-50-0x0000000000400000-0x0000000002BB4000-memory.dmp

memory/3504-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3504-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu330721.exe

MD5 dab3e79815b33249c49762a326249940
SHA1 9843704b17e34915050722b67dbda209a8133bd7
SHA256 f13ab08a3aa121d4e3ff4c538f6bbd2769da1dc35d9c55e2501743101da058ed
SHA512 9fc3c600d2360795c9d240a100bcdb1d31c07fec1290ab3a7348a0425922a7a433efa680adf7f5f937356f6335dd9f2df5ba7c93624fac841e1cac331ebbb024

memory/3504-54-0x0000000000400000-0x0000000002BB4000-memory.dmp

memory/2196-60-0x0000000004AF0000-0x0000000004B2C000-memory.dmp

memory/2196-61-0x0000000007770000-0x00000000077AA000-memory.dmp

memory/2196-65-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-63-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-62-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-87-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-95-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-94-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-91-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-89-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-85-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-83-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-81-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-79-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-77-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-75-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-73-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-71-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-69-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-67-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/2196-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/2196-855-0x000000000A350000-0x000000000A362000-memory.dmp

memory/2196-856-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/2196-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/2196-858-0x0000000006C80000-0x0000000006CCC000-memory.dmp