Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ef76qawnay
Target d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb
SHA256 d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb

Threat Level: Known bad

The file d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Healer

Detects Healer an antivirus disabler dropper

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:54

Reported

2024-11-09 03:56

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
PID 3444 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
PID 3444 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
PID 1924 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
PID 1924 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
PID 1924 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
PID 1924 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe
PID 1924 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe
PID 1924 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe

"C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

MD5 b5715a8a7dfde31a802387b19321f31b
SHA1 39f0756bbc2cc322fff969028603b8572981e923
SHA256 70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339
SHA512 92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

MD5 24f85c699a19ee5e19fdd82c6e224735
SHA1 ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8
SHA256 f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58
SHA512 9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

memory/3516-15-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/3516-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3516-17-0x0000000004930000-0x000000000494A000-memory.dmp

memory/3516-18-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/3516-19-0x00000000072A0000-0x0000000007844000-memory.dmp

memory/3516-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp

memory/3516-34-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-46-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-48-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-44-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-42-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-40-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-38-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-36-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-32-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-30-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-28-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-26-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-24-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-22-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-21-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

memory/3516-49-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/3516-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3516-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/3516-53-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/3516-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

MD5 8811341d1ea7a75289287e97b6ae3d65
SHA1 bc41b1b0187a35dcdfa016c5a1657aff7133c331
SHA256 fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea
SHA512 4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

memory/3248-59-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

memory/3248-60-0x0000000004C40000-0x0000000004C7A000-memory.dmp

memory/3248-64-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-76-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-94-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-92-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-90-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-88-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-86-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-855-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/3248-856-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/3248-854-0x00000000072E0000-0x00000000072F2000-memory.dmp

memory/3248-853-0x0000000009D40000-0x000000000A358000-memory.dmp

memory/3248-84-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-82-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-80-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-74-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-72-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-857-0x00000000048C0000-0x000000000490C000-memory.dmp

memory/3248-70-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-68-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-66-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-78-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-62-0x0000000004C40000-0x0000000004C75000-memory.dmp

memory/3248-61-0x0000000004C40000-0x0000000004C75000-memory.dmp