Malware Analysis Report

2025-05-06 00:50

Sample ID 241109-zdh42a1kdy
Target 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946
SHA256 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946

Threat Level: Known bad

The file 3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:36

Reported

2024-11-09 20:38

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe
PID 4440 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe
PID 4440 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe
PID 4736 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe
PID 4736 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe
PID 4736 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe
PID 4736 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe
PID 4736 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe
PID 4736 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe

"C:\Users\Admin\AppData\Local\Temp\3f75993b08d25404158dd7bb6d0ecc54ef057923105e39800f5b60f1793c9946.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2032 -ip 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412700.exe

MD5 1b059c8ad9e45de7da7b7f04ad94141a
SHA1 2e197d0de7a4ebec5b1136bee50512301cdc7eae
SHA256 c1788a463d878dd2549601a4fffabc3b9e45fcab7b860f6964e102c28254b2c4
SHA512 4eeadcff9fcf9c48080a492d039f08ad4522bdfb624140d0a16a15a31edeb44087b58c86333e78f3596a8c36a6b974a697b684dac99804b75b04be395daa9928

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794042.exe

MD5 6c28a70f3e8c1b3d43261558403bd612
SHA1 01d34e32114397fabb8d65b85c71d0e9afe6b8f9
SHA256 f8ff1a28c724bfbbc0ab6332899ac8fcf8e6b054182f1cbceae8619512ef6b0c
SHA512 d11f755602146454157d536aad8485cd59aa3c990fdbc5d7c0c8aac116db52cb241f30456a7c7e3b2f3aac72abfda8e652e6a4d2f6d6306f3c352837e70e765f

memory/2032-15-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/2032-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2032-17-0x0000000004D00000-0x0000000004D1A000-memory.dmp

memory/2032-18-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2032-19-0x00000000072C0000-0x0000000007864000-memory.dmp

memory/2032-20-0x0000000007280000-0x0000000007298000-memory.dmp

memory/2032-48-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-46-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-45-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-42-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-40-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-38-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-36-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-34-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-32-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-30-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-28-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-26-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-24-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-22-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-21-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2032-49-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/2032-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2032-50-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2032-54-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2032-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu470029.exe

MD5 7f0c7636ded06e623c4b5de71c6769f8
SHA1 ba7ee0668f491498fc7519a91552bf0816a8db68
SHA256 1b1d00710dbbdf15fb664f056720ac00267ca9506a92e6fb22ff66bea217219a
SHA512 cdd6891500a7eacbed6afb1098689db570ac924fe9aeba544e19bd31861b9bf5f300c42d7c57a2e4373905dcfee57f5733a6f832157bb0f45c33957c6e571f5f

memory/1852-60-0x0000000007140000-0x000000000717C000-memory.dmp

memory/1852-61-0x00000000077A0000-0x00000000077DA000-memory.dmp

memory/1852-67-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-79-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-95-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-93-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-91-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-90-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-87-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-86-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-83-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-81-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-77-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-75-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-73-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-71-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-69-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-65-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-63-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-62-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/1852-854-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

memory/1852-855-0x000000000A350000-0x000000000A362000-memory.dmp

memory/1852-856-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/1852-857-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/1852-858-0x000000000A510000-0x000000000A55C000-memory.dmp