Malware Analysis Report

2025-08-05 10:16

Sample ID 241109-fvmzrsybrd
Target 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8
SHA256 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8
Tags
healer redline ronam discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8

Threat Level: Known bad

The file 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8 was found to be: Known bad.

Malicious Activity Summary

healer redline ronam discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:11

Reported

2024-11-09 05:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe
PID 3360 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe
PID 3360 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe
PID 2056 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe
PID 2056 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe
PID 2056 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe
PID 1160 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe
PID 1160 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe
PID 1160 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe
PID 3484 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe
PID 3484 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe
PID 3484 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe
PID 3484 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe
PID 3484 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe
PID 3484 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe

"C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.17:4139 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 193.233.20.17:4139 tcp
RU 193.233.20.17:4139 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.17:4139 tcp
RU 193.233.20.17:4139 tcp
RU 193.233.20.17:4139 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe

MD5 f3e1709aab51a6a135bbdb29d83f77d9
SHA1 adb143171137a23b41968a07e43d38b4186848c2
SHA256 d33df68fc9eec68e31d69b1abdc0fb82ab8e2b0e2fee7cd985dd3acfda022bfb
SHA512 d7941ec4e350762e79baf141098285ba4039032630ec95db3634c5f2bd87a3ebc25337f647cc4a8a43affb7beb5f1f61dac8c17832e1ed93242cdf8d45c3e309

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe

MD5 c0018a166fb236e3a8fd15f31ae48bbc
SHA1 378ff7d739193420c1e50b17a7ccf8012b9773f0
SHA256 804d0a95dff89959609f92afddd708cebc42149597b96e611b60967d6a0ad4d7
SHA512 cc1cc89786baab3344422e267f5ed98caec1f337d495040de06763307a318d29ba3b6e7595e1cd903d01734de737cfd4ef11b982dd2ab9c8a3a171553bd21e95

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe

MD5 1004bc7075588f55644ec77b8b633fdb
SHA1 056c0cc4e18c9f156fb69b071dd60416247bd0b3
SHA256 923a2d0e5c4976768479d77a7f0c0ae53bdd52a36fb1916d4f063e4773b02f61
SHA512 12bf55bb03c6cf3dbf14646bfd3a14df18f93b1c03bdc5b802c557b07b7819b2822cb478a2a022b53cc3859e8d3c720f139fd7b37b97c78dff18a569082384db

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe

MD5 2c5c8d29cafcf8e7dd907d96976fa83f
SHA1 0d7b42b55e766c71ecd427a3d1acf1a04b16be7c
SHA256 5cd65c80d1f7f92886584a08003e6f31ed0b37b20c7bad622ee0ae43ec928f3a
SHA512 67d0f1649e1c7494e865fbb2cf1806b2e05119671ffea6e1fb84e7dd82f0782f678d1f2bddeed6f2e64a9814cea860efc280e8a727a99bdc181a50b951c97d09

memory/4032-29-0x0000000002500000-0x000000000251A000-memory.dmp

memory/4032-30-0x0000000004C80000-0x0000000005224000-memory.dmp

memory/4032-31-0x00000000026C0000-0x00000000026D8000-memory.dmp

memory/4032-35-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-59-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-58-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-55-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-53-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-51-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-49-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-47-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-45-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-43-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-41-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-39-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-37-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-32-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-33-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4032-60-0x0000000000400000-0x000000000057D000-memory.dmp

memory/4032-62-0x0000000000400000-0x000000000057D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe

MD5 444008956d19b2d37e0e2c25888548b0
SHA1 0b64e74e3c648f0a9023fe2308a3ab7b13607ad3
SHA256 b4eedc40338b319b5527d55f9f50d8941fb4905a464a2babf2036492aaa4d94b
SHA512 1a00813b1f3d64613b8d57f0e70c09980b07c3c23f86bfbbf3f677a2eac15405e150a512e542703d044f2713f98de91550c5dd2717cbec80ecbc1e59878cce74

memory/1140-67-0x00000000025E0000-0x0000000002626000-memory.dmp

memory/1140-68-0x0000000002720000-0x0000000002764000-memory.dmp

memory/1140-80-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-92-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-102-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-100-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-98-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-96-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-94-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-90-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-88-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-86-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-84-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-82-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-81-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-78-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-76-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-74-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-72-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-70-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-69-0x0000000002720000-0x000000000275E000-memory.dmp

memory/1140-975-0x0000000005250000-0x0000000005868000-memory.dmp

memory/1140-976-0x0000000005870000-0x000000000597A000-memory.dmp

memory/1140-977-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/1140-978-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

memory/1140-979-0x0000000005B10000-0x0000000005B5C000-memory.dmp