Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ef9dsaxbmc
Target c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c
SHA256 c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c

Threat Level: Known bad

The file c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Healer

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:54

Reported

2024-11-09 03:56

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe
PID 2140 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe
PID 2140 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe
PID 4836 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe
PID 4836 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe
PID 4836 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe
PID 4836 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe
PID 4836 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe
PID 4836 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe

"C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3208 -ip 3208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe

MD5 12f58ef97e1b1d8df6afef2b7e6622ec
SHA1 1747d7e117fc6501ac6a1eb8ffac7de36b412786
SHA256 b436aa8e5827d331a0d090d93e3a8935866a3d1b0d7d244bbce64db7825aa042
SHA512 bd22f55bb367b841f2fb627740dc5986060ec5fb5b3721adaea1177569300cfdaf166b61151c43c39ce0f7d217f23e6fbf4d2d9f4113b166cbd870ccf36e2155

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe

MD5 5439199f512057b8df3d164237fb39fb
SHA1 d7d6e2e7914d26c95ab23dbdf0158c0cb556a4fa
SHA256 1303306da95987b70dfb522ee601a7a20bb4fe73a0ea4140b3190d0995de04ff
SHA512 bbe0953f1a14cea4ddabf51bdd8b5a72b85237ae2d51eacf0836d60d7900c4cde496d0504ea6a9e5c89487dffce92f62d0420b85e859a8b78b8231b68602352b

memory/3208-15-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

memory/3208-16-0x0000000002B90000-0x0000000002BBD000-memory.dmp

memory/3208-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3208-18-0x00000000049B0000-0x00000000049CA000-memory.dmp

memory/3208-19-0x00000000070E0000-0x0000000007684000-memory.dmp

memory/3208-20-0x00000000076D0000-0x00000000076E8000-memory.dmp

memory/3208-38-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-48-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-46-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-44-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-42-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-40-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-36-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-34-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-32-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-30-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-28-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-26-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-24-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-22-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-21-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/3208-49-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

memory/3208-50-0x0000000002B90000-0x0000000002BBD000-memory.dmp

memory/3208-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3208-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/3208-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe

MD5 80bc579808a2c5a4514ffef6235abc46
SHA1 1e469bdfd631de08a9a8d4f7944a691910880d24
SHA256 b83d67d37e73bc59a04e9d15bf383797ca5d29c4f99837a7105f0b6aac09d8b2
SHA512 db76b8b1926bd3ff552dd561be7084ca3a9dccfbc4b98fda8b478561821e37ee36f70dc170af32f2b68c4d2d37f23501022a0a938fe4c54e4dbf1f33a35cf70a

memory/3208-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/828-60-0x0000000004C50000-0x0000000004C96000-memory.dmp

memory/828-61-0x0000000007750000-0x0000000007794000-memory.dmp

memory/828-69-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-95-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-93-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-91-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-89-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-87-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-85-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-83-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-81-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-79-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-77-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-75-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-73-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-71-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-67-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-65-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-63-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-62-0x0000000007750000-0x000000000778F000-memory.dmp

memory/828-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

memory/828-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/828-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/828-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/828-972-0x0000000008110000-0x000000000815C000-memory.dmp