Malware Analysis Report

2025-08-11 06:40

Sample ID 241109-ebx5yszkcp
Target de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788
SHA256 de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788

Threat Level: Known bad

The file de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:46

Reported

2024-11-09 03:49

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe
PID 4384 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe
PID 4384 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe
PID 3824 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe
PID 3824 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe
PID 3824 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe
PID 3824 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe
PID 3824 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe
PID 3824 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe

"C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe

MD5 8389155b3cdf35388975c2a799b592aa
SHA1 552f9d86a3ebe39c9a490496d62078f5ed37c5f8
SHA256 f992547f326a34a46a6e26a9b0bb3d34a74d0eb34edb1186ddcea1d7010db539
SHA512 6720ea55a218d45534de0d998caad8ba5c2154da01bcaa4027c5a77f030eb1bc6513577ae6c787d5a470a34a4597e18ecef143131b9a4723a476ed38e769b468

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe

MD5 217e1777bb5a9638e0672bca975afe56
SHA1 2c7e1ec4a3c579bc311cdb5c079f9f91c6d971b3
SHA256 9c9168311e613c2995e8d8859dca9bc0fa26042b27b2e280aa60f7de7a2996e0
SHA512 eabba88778b6e8947cc0661fed713276152cb1a7f09b5be7851f4af33fd18f509587c398db4f9f525583c54d36fe7d2a09aa382eddae8afa545a6fa854cbd656

memory/848-15-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

memory/848-16-0x00000000008E0000-0x000000000090D000-memory.dmp

memory/848-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/848-18-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/848-19-0x0000000000AB0000-0x0000000000ACA000-memory.dmp

memory/848-20-0x0000000004EF0000-0x0000000005494000-memory.dmp

memory/848-21-0x0000000002830000-0x0000000002848000-memory.dmp

memory/848-22-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-49-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-47-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-45-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-44-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-41-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-39-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-38-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-35-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-33-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-32-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-29-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-27-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-25-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-23-0x0000000002830000-0x0000000002842000-memory.dmp

memory/848-50-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

memory/848-51-0x00000000008E0000-0x000000000090D000-memory.dmp

memory/848-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/848-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/848-55-0x0000000000400000-0x00000000007FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe

MD5 9e0e83a0b6939bf64093ba9a60c5d80b
SHA1 1a07a07a5a1350f7ef5f17557bef484202fbc94f
SHA256 48ad52ba751f573156182b27f047d7e8bcebdd40ce1b3b2fe99bb953634cdf6f
SHA512 08d32f1c3e5f12aecb8ad7221d0d8a4293701c0f27814e15b4822f0b7570f7d514660937deac15d2bda2998b77ef2da6bbcbfbb3aa7ba00b85d2eca4e568a218

memory/1244-61-0x0000000002390000-0x00000000023D6000-memory.dmp

memory/1244-62-0x0000000005400000-0x0000000005444000-memory.dmp

memory/1244-68-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-72-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-96-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-94-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-92-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-90-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-88-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-86-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-84-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-80-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-78-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-76-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-75-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-70-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-82-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-66-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-64-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-63-0x0000000005400000-0x000000000543F000-memory.dmp

memory/1244-969-0x0000000005440000-0x0000000005A58000-memory.dmp

memory/1244-970-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

memory/1244-971-0x0000000005C20000-0x0000000005C32000-memory.dmp

memory/1244-972-0x0000000005C40000-0x0000000005C7C000-memory.dmp

memory/1244-973-0x0000000005D90000-0x0000000005DDC000-memory.dmp