Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ejmzyswnfv
Target 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16
SHA256 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16

Threat Level: Known bad

The file 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Healer family

RedLine

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:58

Reported

2024-11-09 04:00

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe
PID 2400 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe
PID 2400 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe
PID 2332 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe
PID 2332 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe
PID 2332 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe
PID 2332 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe
PID 2332 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe
PID 2332 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe

"C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe

MD5 08f8fad8508193e387cabc9139599d1d
SHA1 44d99fd5f84a9470f36db3b80c852b9ee088f893
SHA256 e78ebf3b49810a8020f5f7f6c16cca7619fd2834136159a6c76480411ecb6bbb
SHA512 5e42cbd4f6c107fc0027e5720eec1dc276cd540fc9eb0b95200b4d100ce433be69b9017cb772b84d30a4cb7fc0d9e21e5097225170e6beb2b246a489fc20cd75

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe

MD5 d47cae380e21366723dd1061722b227d
SHA1 d6a4e11148d823ba4423d5c9c692c99591dfde2b
SHA256 f3e6c353f4a5af7c266c9873a7bb89a22173c94e06c9e3f1afbec6320715cfd6
SHA512 17f4c71513743c3836171d84492b6f66bb1794e521173b82bd7140ca9494400e45ad0a604f5b91782e23c5ede02966aff943b2f6682cf7bba7954cec01b496cd

memory/4024-15-0x0000000001C90000-0x0000000001D90000-memory.dmp

memory/4024-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4024-16-0x0000000001C50000-0x0000000001C7D000-memory.dmp

memory/4024-18-0x00000000038B0000-0x00000000038CA000-memory.dmp

memory/4024-19-0x0000000000400000-0x0000000001ADC000-memory.dmp

memory/4024-20-0x0000000006310000-0x00000000068B4000-memory.dmp

memory/4024-21-0x0000000003960000-0x0000000003978000-memory.dmp

memory/4024-49-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-47-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-45-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-43-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-41-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-39-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-37-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-35-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-33-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-31-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-29-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-27-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-25-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-23-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-22-0x0000000003960000-0x0000000003972000-memory.dmp

memory/4024-50-0x0000000001C90000-0x0000000001D90000-memory.dmp

memory/4024-51-0x0000000001C50000-0x0000000001C7D000-memory.dmp

memory/4024-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4024-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4024-55-0x0000000000400000-0x0000000001ADC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe

MD5 9cbfe70cab5606e4a2ec17426234c8ba
SHA1 b81c8d3a09c5bbc8064c94be0aeb48e9f6360b87
SHA256 75603c775465340a67c91943fde602e6e9983cbd3f66533e13181cfde7c0804d
SHA512 79f069b0c3bbc6ff9c66459e05148b3a707b1b32fc00942d8e762c4359bae633f43b02258b54c20e9ee9a5bb4f812782421684dbe9b38f907b9ad3cc6bde1b9a

memory/4988-61-0x00000000022D0000-0x0000000002316000-memory.dmp

memory/4988-62-0x0000000004AC0000-0x0000000004B04000-memory.dmp

memory/4988-66-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-76-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-96-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-94-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-92-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-90-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-88-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-86-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-82-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-80-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-78-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-74-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-72-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-969-0x0000000005190000-0x00000000057A8000-memory.dmp

memory/4988-70-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-68-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-84-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-64-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-63-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

memory/4988-970-0x00000000057B0000-0x00000000058BA000-memory.dmp

memory/4988-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/4988-972-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/4988-973-0x0000000005A80000-0x0000000005ACC000-memory.dmp