Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fqp9bsybld
Target 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02
SHA256 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02

Threat Level: Known bad

The file 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:04

Reported

2024-11-09 05:07

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe
PID 4192 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe
PID 4192 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe
PID 4472 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe
PID 4472 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe
PID 4472 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe
PID 4472 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe
PID 4472 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe
PID 4472 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe

"C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4080 -ip 4080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe

MD5 1f307a1a7b80f7908bb08dafe52b1819
SHA1 e9cb64384442edeebdc25b03bad645536c06d4f9
SHA256 ef5b47561b63d83e2b5d7f8e6497f0733887790cf6c04b40b5cfa0bac3496657
SHA512 38c1bb3bcaa16d13c5b7c1e14941d72dbea80d80e1892c6d1154dd3919d94a902b55e17336dddbfaa9ab25b98a39cc87f8030e4f185f5378054a99e67e9452b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe

MD5 0a33dbcec92209755479c3e12cad1be7
SHA1 16c893e0ebc0cf66f014a73f480e2e27ece99bac
SHA256 510fd307adcbeda3dea25da0b7fa8b2aa4538ad9d0197a4264cf4c5a275d1232
SHA512 5b1569291eee448f515601881b9427a996acbd65b519a9f0b72e0243caed82876035be2cbac44e6052fddaf01e6a6f8c0349897f3ed1d0733ec49b17f0206b4e

memory/4080-15-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/4080-16-0x0000000000610000-0x000000000063D000-memory.dmp

memory/4080-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4080-18-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4080-19-0x0000000002390000-0x00000000023AA000-memory.dmp

memory/4080-20-0x0000000004CA0000-0x0000000005244000-memory.dmp

memory/4080-21-0x00000000024F0000-0x0000000002508000-memory.dmp

memory/4080-49-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-47-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-45-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-43-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-41-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-39-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-37-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-35-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-33-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-31-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-29-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-27-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-25-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-23-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-22-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4080-50-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/4080-51-0x0000000000610000-0x000000000063D000-memory.dmp

memory/4080-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4080-55-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4080-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe

MD5 08f2dbcc96c74faa0bf8b38ea50cc6dd
SHA1 c39898b0af837a6f14e4214ea1e27a5a9a070333
SHA256 69bc869da8cf5863e8598e60799de9aef0b760661e5e4b07386fb73130ab6c95
SHA512 777985ba2edf51c29b07629898caec3e07508eae0e86a0785a2f77f53f9e8ea748693734e04dedd9c5c4b8bf3c31ee9037d295e16511501bc5642e7d5cb91cbe

memory/3656-61-0x00000000025B0000-0x00000000025F6000-memory.dmp

memory/3656-62-0x0000000005090000-0x00000000050D4000-memory.dmp

memory/3656-63-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-90-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-96-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-94-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-92-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-88-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-86-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-84-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-82-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-80-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-78-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-76-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-74-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-72-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-70-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-68-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-66-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-64-0x0000000005090000-0x00000000050CF000-memory.dmp

memory/3656-969-0x00000000050F0000-0x0000000005708000-memory.dmp

memory/3656-970-0x0000000005790000-0x000000000589A000-memory.dmp

memory/3656-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/3656-972-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/3656-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp