Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d7ywpaykbv
Target 20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028
SHA256 20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028

Threat Level: Known bad

The file 20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:39

Reported

2024-11-10 03:42

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe
PID 3216 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe
PID 3216 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe
PID 4364 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe
PID 4364 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe
PID 4364 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe
PID 4364 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe
PID 4364 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe
PID 4364 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe

"C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3740 -ip 3740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe

MD5 5aa5186a9a84fd59c72aa9ef4fcb5b50
SHA1 024460137d321822fe4adef251828b61f60f0e6c
SHA256 52d0b9c1167efad4283c5a9e47f17466b95c225ccb563672893c70661f9a5728
SHA512 dbf8db5d73b719a6efc2593cd017b6b24349a66b7f7f86588d3793fd251495c0af3c8975b97095c7b223ba25cd2a09257a6fdc87d3f16269a980298532af37f6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe

MD5 364988cc8cdecba06453bf038ce2771f
SHA1 a9c63a8954c4013d82eb3341ca51320f265792ad
SHA256 a20ede3ba76f08ed4ba1cb26aeb6b2e9c287521c9615b320062a70d20abbace8
SHA512 f8c11b48ae9734a19e9fcf34dcfbe509e43991df7966e1517f475034582dcc3f8f35fcc05eeadbbf999e5dc4c5a5e678c1a1e219c811d6d76cf5d4fe5da04ff7

memory/3740-15-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/3740-16-0x0000000002E00000-0x0000000002E2D000-memory.dmp

memory/3740-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3740-18-0x0000000004920000-0x000000000493A000-memory.dmp

memory/3740-19-0x0000000007180000-0x0000000007724000-memory.dmp

memory/3740-20-0x0000000004C70000-0x0000000004C88000-memory.dmp

memory/3740-31-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-46-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-45-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-42-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-40-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-38-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-36-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-34-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-33-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-28-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-26-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-24-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-22-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-48-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-21-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/3740-49-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/3740-50-0x0000000002E00000-0x0000000002E2D000-memory.dmp

memory/3740-51-0x0000000000400000-0x0000000002B78000-memory.dmp

memory/3740-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe

MD5 2ef53d7cd476c1f62371e0472efd499a
SHA1 70c0f2a04a61becacda3398137017476946f3ace
SHA256 385344ba7ee9f9c82cccac5351b2ecf9ffcb170b449f2941064e8ff4d3340ebd
SHA512 7f7c3749edc0aaaadf726f5e3bfced67e0292ec468cd453b2f08567ec0a018cd5378c7a7ee4cd48e2f2b75107cd1fb27d282d8b60f5b70f202b9dbf0589ba89b

memory/3740-53-0x0000000000400000-0x0000000002B78000-memory.dmp

memory/2896-59-0x0000000004BA0000-0x0000000004BE6000-memory.dmp

memory/2896-60-0x00000000077D0000-0x0000000007814000-memory.dmp

memory/2896-94-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-92-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-90-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-88-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-86-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-84-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-82-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-80-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-78-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-76-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-74-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-72-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-70-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-68-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-66-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-64-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-62-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-61-0x00000000077D0000-0x000000000780F000-memory.dmp

memory/2896-967-0x0000000007810000-0x0000000007E28000-memory.dmp

memory/2896-968-0x0000000007E70000-0x0000000007F7A000-memory.dmp

memory/2896-969-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2896-970-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/2896-971-0x0000000008110000-0x000000000815C000-memory.dmp