Malware Analysis Report

2025-06-15 23:32

Sample ID 241109-xwgykssrer
Target 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f
SHA256 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f

Threat Level: Known bad

The file 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

RedLine

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:12

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe
PID 5084 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe
PID 5084 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe
PID 3320 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe
PID 3320 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe
PID 3320 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe
PID 3320 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe
PID 3320 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe
PID 3320 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe

Processes

C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe

"C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4304 -ip 4304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe

MD5 250a87f319f17b2131259f5d09b4e634
SHA1 2d0a958c580e7ab690c4514c1924b8fc8d1b2afd
SHA256 59c26d5d1f7d6630549eb2ce771fdda2da1e7905a686742f5ea2fcad28f0ca1a
SHA512 aa0825ed72d5dab3e33cd2a0e16147c7daa87cc623577ad18f15938c649c9e22bfde36427829597de9b35f00ace7af022ccece8ef154d8ccec3781a1d967e13c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe

MD5 2456620741866590a7e6eda7da890903
SHA1 36bdeb0817699bc77b2a4bc2079bace8a6e8258f
SHA256 3271d6ef8386011ca04fec7cd84c01efc91fa95e6b54551eb5e8bf8c12747d31
SHA512 c7f7c4699187fb318c899afc17831ee062d51d5900a4e06653d22fce1bdd4687e98bc30d9a684d0096a744ae0257a1eadac4242dc74c1ef6c30dbb25bf7ff71a

memory/4304-15-0x0000000002D30000-0x0000000002E30000-memory.dmp

memory/4304-16-0x0000000002E60000-0x0000000002E8D000-memory.dmp

memory/4304-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4304-18-0x0000000004AB0000-0x0000000004ACA000-memory.dmp

memory/4304-19-0x00000000072B0000-0x0000000007854000-memory.dmp

memory/4304-20-0x0000000007140000-0x0000000007158000-memory.dmp

memory/4304-21-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-28-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-48-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-46-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-44-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-42-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-40-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-38-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-36-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-35-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-33-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-31-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-26-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-24-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-22-0x0000000007140000-0x0000000007153000-memory.dmp

memory/4304-49-0x0000000002D30000-0x0000000002E30000-memory.dmp

memory/4304-50-0x0000000002E60000-0x0000000002E8D000-memory.dmp

memory/4304-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4304-51-0x0000000000400000-0x0000000002B9A000-memory.dmp

memory/4304-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe

MD5 35d55ca228efd1b0a0a973c71717abc9
SHA1 1fa49ff50e1b83bdad6a54cee87ea1bc6fbf1546
SHA256 4ee14db05f35df1980245c4e0834eeefa0f1972d36f9a150d20ba464d4f084bc
SHA512 96fb42f7ce5cfba67858333c51d1dc1ed7615c55dcd08135140bad6430e39742a98352bae9ec9ca95997588aa6b8f8d7954e2d10b55f951e1242fe39d64b1346

memory/4304-54-0x0000000000400000-0x0000000002B9A000-memory.dmp

memory/860-60-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

memory/860-61-0x00000000071A0000-0x00000000071DA000-memory.dmp

memory/860-85-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-71-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-67-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-65-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-63-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-95-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-93-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-91-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-89-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-87-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-83-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-81-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-79-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-77-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-75-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-73-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-69-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/860-854-0x0000000009CF0000-0x000000000A308000-memory.dmp

memory/860-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/860-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/860-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/860-858-0x00000000049A0000-0x00000000049EC000-memory.dmp