Malware Analysis Report

2025-08-05 10:15

Sample ID 241109-fwgt5sycjh
Target f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55
SHA256 f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55

Threat Level: Known bad

The file f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:13

Reported

2024-11-09 05:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe
PID 4016 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe
PID 4016 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe
PID 4812 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe
PID 4812 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe
PID 4812 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe
PID 4812 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe
PID 4812 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe
PID 4812 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe

"C:\Users\Admin\AppData\Local\Temp\f2d1809a8f4247d1a4e07b9cd651fd7eb0f77217e8dc83e4db9ca98bd596dc55.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2584 -ip 2584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un024516.exe

MD5 67801184424a7c37f57f4afda2cc5e13
SHA1 3098e57023c42832be46aa059e64916761c4fa00
SHA256 d91cdc775386a54d20d3af57738f3cd4c354d8c8c393242a2858a73e8e6cbcb5
SHA512 c1323ba233343ac0214d69b5b7a57343323bc0da09b214c1eeb2aed4f28e73f792174ce2efa26312f104a71311e1b995a0c43c10a498f88950e734d7e5dc8a36

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9766.exe

MD5 4c25e0f8e85c6b045c6183e00ee28cdc
SHA1 6cf80d2345fe36922b0555dba61c59d5431a89eb
SHA256 47fcb1137c1882514b35c92d10b662b16ac3cd202a4eaffb3f3d3374a738d289
SHA512 6cebc816b7b947e308ef89a60337ca155a531c052371906c5e02306cdc2c4ae3acfbb5758c57fb7fe3ee4a837be6dad3b5ca9d342f6ebbff15ab5f7c044c2afe

memory/2584-15-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/2584-16-0x0000000000810000-0x000000000083D000-memory.dmp

memory/2584-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2584-18-0x0000000000400000-0x0000000000802000-memory.dmp

memory/2584-19-0x00000000026D0000-0x00000000026EA000-memory.dmp

memory/2584-20-0x0000000004E20000-0x00000000053C4000-memory.dmp

memory/2584-21-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

memory/2584-49-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-47-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-45-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-43-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-41-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-39-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-37-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-35-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-22-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-33-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-31-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-29-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-27-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-25-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-23-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/2584-50-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/2584-51-0x0000000000810000-0x000000000083D000-memory.dmp

memory/2584-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2584-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2584-55-0x0000000000400000-0x0000000000802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0452.exe

MD5 268cc3806d493a29d512671336d60e5b
SHA1 f8d06fac87032fe62aecdfc608ac4464d49a223b
SHA256 ddc8c386ab7cad77e0fcde87bc087f06a151df0099f9e387219b34c6b1acaa1d
SHA512 f1d451b06f6de775424968af64a808c8910a2441da50977ec0cf83a1aac4231f3e658a56fdc61409cd48c90eb68845b644708c3a0d2eef3ac1479855f54b3116

memory/1992-61-0x0000000002A00000-0x0000000002A46000-memory.dmp

memory/1992-62-0x0000000004E30000-0x0000000004E74000-memory.dmp

memory/1992-78-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-80-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-94-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-93-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-90-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-88-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-86-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-84-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-82-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-76-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-74-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-72-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-70-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-69-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-96-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-66-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-64-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-63-0x0000000004E30000-0x0000000004E6F000-memory.dmp

memory/1992-969-0x0000000005530000-0x0000000005B48000-memory.dmp

memory/1992-970-0x0000000005B50000-0x0000000005C5A000-memory.dmp

memory/1992-971-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/1992-972-0x0000000005C60000-0x0000000005C9C000-memory.dmp

memory/1992-973-0x0000000005DA0000-0x0000000005DEC000-memory.dmp