Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ekcwdaxcmm
Target 38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603
SHA256 38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603

Threat Level: Known bad

The file 38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603 was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

RedLine payload

Healer

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:59

Reported

2024-11-09 04:02

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe
PID 2556 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe
PID 2556 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe
PID 4508 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe
PID 4508 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe
PID 4508 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe
PID 4508 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe
PID 4508 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe
PID 4508 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe

"C:\Users\Admin\AppData\Local\Temp\38fc37d74d59a9a1872a16354fedcb639a6fcc10eed4283d2f153fba9c97e603.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un343565.exe

MD5 2cdee295bf09137fafdcf768a610c08e
SHA1 a030b3c4ed544f741af4f2ec93f064cb5af6fe28
SHA256 f1221a4d7a3a18518654012c1e60d410037a8e5e6c1c4599aa42d9f400d95986
SHA512 ae0ccb544d70211820dfa864746e152a1dc36c6fd62edfb0c5691845c0930fecb5b97b1428a9f6d4fdef317db1484bdaa8179635ce394bf033ff163b11cf2d58

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5290.exe

MD5 22c511bf258f5b73f13bc83d9b40d9b0
SHA1 33e63312d8660b6b819579e80af9e2751355e72b
SHA256 b663b01d9fb25d64eadde4ade02763f8c91765caae7322c5501ff3062ae310fc
SHA512 0cda3124fbff8aab567b81b489ab2f73e76d1472f5b1c4891452ce40212fb44491add3f5ed7f498478a5112945c13616838d9222f50c9f4430516713392f4c7b

memory/4916-15-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/4916-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4916-16-0x0000000002B90000-0x0000000002BBD000-memory.dmp

memory/4916-18-0x0000000004A60000-0x0000000004A7A000-memory.dmp

memory/4916-19-0x0000000007460000-0x0000000007A04000-memory.dmp

memory/4916-20-0x0000000004D60000-0x0000000004D78000-memory.dmp

memory/4916-21-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-48-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-44-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-42-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-40-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-38-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-34-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-32-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-30-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-28-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-26-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-24-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-46-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-36-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-22-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/4916-49-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/4916-50-0x0000000002B90000-0x0000000002BBD000-memory.dmp

memory/4916-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4916-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/4916-55-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4916-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5081.exe

MD5 a8dc0d5389d3566c7365bc0247fdfd95
SHA1 91c7b4e8480f97064b11852b4744970a4ad9c6cb
SHA256 7c0f71776439259917195da9152b39710db1be7d993fdb60f7807ab5e6e4136c
SHA512 3a1c4460ccbc457a128c0cea71db9eef25bdd0544c886612f11d188a2de57f968a2b3dbbb538440c78d0b058c52c874388e6858246a3193a1ef82c5d998774a0

memory/1992-60-0x00000000049B0000-0x00000000049F6000-memory.dmp

memory/1992-61-0x00000000071D0000-0x0000000007214000-memory.dmp

memory/1992-62-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-75-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-95-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-93-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-91-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-89-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-87-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-85-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-83-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-81-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-79-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-77-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-73-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-71-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-69-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-67-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-65-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-63-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/1992-968-0x0000000007800000-0x0000000007E18000-memory.dmp

memory/1992-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/1992-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/1992-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/1992-972-0x0000000008110000-0x000000000815C000-memory.dmp