Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d9mw7sygrc
Target 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef
SHA256 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef

Threat Level: Known bad

The file 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:42

Reported

2024-11-10 03:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe
PID 736 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe
PID 736 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe
PID 3128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe
PID 3128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe
PID 3128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe
PID 3128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe
PID 3128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe
PID 3128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe

"C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2824 -ip 2824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe

MD5 60e2c6fcd9a26385825a2f39dd61db92
SHA1 669d7628d072fe7dd77c265d442a422481d16def
SHA256 4711bf4d5daedb4767765b4b0f45f594b9fbb0e2396f801cfb3b560e1f55cf0b
SHA512 bad2c5f53d41190301e03dca9e8a42bf956e256ce89a35dde85b88a9fcabac49111d4e64bc08dd49999c657e943c45b512fc66a1d99c59fba07e12d0d6f3038c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe

MD5 192410de901925337cc3f0dc6bcbff8d
SHA1 f8ffddce960c1b0ce5206b80166c3f4d8e9b8d4e
SHA256 d118a398cef1f28d550f3f2ffae4134fdcfb367ab281b14c49adb41e4b59d110
SHA512 66cbfadf4e49ad6aa9095367bcc2e81d25e06b54d7a59ffde9332f692d5d9a84511455d93a0c2cfd39d887232badadca399c858e42771ade0472c4101df79cd9

memory/2824-15-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/2824-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/2824-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2824-18-0x0000000004A20000-0x0000000004A3A000-memory.dmp

memory/2824-19-0x00000000073B0000-0x0000000007954000-memory.dmp

memory/2824-20-0x0000000004D20000-0x0000000004D38000-memory.dmp

memory/2824-22-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-48-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-46-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-44-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-43-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-40-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-38-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-36-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-34-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-32-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-30-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-28-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-26-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-24-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-21-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2824-49-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/2824-50-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/2824-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2824-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2824-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe

MD5 6f4c1eccf4bbdb8578aac8a9323a2789
SHA1 36406e6fc08664836ec42ba0369fb775fa93f851
SHA256 5ba12c484f077f35d10f8c51c5a07b7f49d00388bf05f996cb6cd58ce3493d0c
SHA512 557824341c0aeda978a02c0414bd8be87d941da8092676b6d06e5ba0e5dc9448922aa66e556684ba3c5f1103e42c84783a2e8e1a10c997191069336cb89184b2

memory/2824-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2808-60-0x0000000004750000-0x0000000004796000-memory.dmp

memory/2808-61-0x0000000007180000-0x00000000071C4000-memory.dmp

memory/2808-91-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-95-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-93-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-89-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-87-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-85-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-83-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-81-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-79-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-75-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-73-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-71-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-69-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-77-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-67-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-65-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-63-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-62-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2808-968-0x0000000007930000-0x0000000007F48000-memory.dmp

memory/2808-969-0x0000000007FA0000-0x00000000080AA000-memory.dmp

memory/2808-970-0x00000000080E0000-0x00000000080F2000-memory.dmp

memory/2808-971-0x0000000008100000-0x000000000813C000-memory.dmp

memory/2808-972-0x0000000008250000-0x000000000829C000-memory.dmp