Malware Analysis Report

2025-06-15 23:32

Sample ID 241109-xxakwszgrq
Target 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb
SHA256 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb

Threat Level: Known bad

The file 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

RedLine

Healer family

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:13

Reported

2024-11-09 19:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe
PID 4272 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe
PID 4272 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe
PID 3852 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe
PID 3852 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe
PID 3852 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe
PID 3852 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe
PID 3852 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe
PID 3852 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe

Processes

C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe

"C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe

MD5 7552bbde8b3b393c764d9f8a5613b2d3
SHA1 8f7a1fc74ee6ec8d44814c5f552ac009f541e8b8
SHA256 a4e7f79f58b63693402e81cac8cf86e7d675b87be38b2a99f89c7d3b7155730e
SHA512 759262448b499ece9f3819fa4d5096697ca2102d523776e8dc9e6c1c67f35a273a86111aba0c470f9d66c8d56300d2f7fd69166c7ed01acbeb1369558b9b3a18

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe

MD5 e0bfbd2dd58dc58e50dd5b84db144e68
SHA1 cb89406988b5d64853fb1d81ad87816065633515
SHA256 9a5bdb013bca8525392c0b18a80064412aad9ae009ad1984c23e64f745a662ad
SHA512 f1edaede3b6a28b1845b76c1ee5ec0f2fd63b6731b1b252c381c31795ea358d0f24f4e9662a8d5032986efce9a248b08440c50b3e9257606a27ecc5e8d0409bc

memory/1428-15-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/1428-16-0x0000000002EA0000-0x0000000002ECD000-memory.dmp

memory/1428-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1428-18-0x00000000049C0000-0x00000000049DA000-memory.dmp

memory/1428-19-0x00000000072F0000-0x0000000007894000-memory.dmp

memory/1428-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp

memory/1428-24-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-48-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-46-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-44-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-42-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-40-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-38-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-36-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-28-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-21-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/1428-49-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/1428-50-0x0000000002EA0000-0x0000000002ECD000-memory.dmp

memory/1428-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1428-51-0x0000000000400000-0x0000000002B73000-memory.dmp

memory/1428-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe

MD5 d79592e215d83e404a236ccc61e987cd
SHA1 5e67bf7d6b8f99ae1f6fa8215437fa9538802f0e
SHA256 a699c6c929b5e6156043d49ba19e77637b2961a13913b78e8409ca16d7930d1b
SHA512 dacd0c2fc6d6d7fe36fcfdd31eb47b40c8bf36da05c413d8aae5e6929d4085ed6b06779281b81ee2bcbbebd0c21716e68a8580d34cafc7aee15e3df7a6c08f4b

memory/1428-54-0x0000000000400000-0x0000000002B73000-memory.dmp

memory/4044-60-0x00000000070A0000-0x00000000070E6000-memory.dmp

memory/4044-61-0x0000000007720000-0x0000000007764000-memory.dmp

memory/4044-85-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-95-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-93-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-91-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-89-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-87-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-83-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-81-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-80-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-77-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-75-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-73-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-71-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-69-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-67-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-65-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-63-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-62-0x0000000007720000-0x000000000775F000-memory.dmp

memory/4044-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

memory/4044-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/4044-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4044-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/4044-972-0x0000000008150000-0x000000000819C000-memory.dmp