Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-ddzacsxnay
Target 49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb
SHA256 49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb

Threat Level: Known bad

The file 49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:54

Reported

2024-11-10 02:56

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe
PID 1556 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe
PID 1556 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe
PID 520 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe
PID 520 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe
PID 520 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe
PID 520 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe
PID 520 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe
PID 520 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe

Processes

C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe

"C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2000 -ip 2000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1020

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe

MD5 ab4edda59b5086e6b547f549f11ae7b4
SHA1 9a9c3f209452f275a6a7bd4980351801e51b01ff
SHA256 58fd87daed0299201dddc06457a5792b26feb7fcb9ef3be2a28d74e74fc1e700
SHA512 0dcb6cfb444fe0ca1ff66fcf031f233ea037b44c5ca6e5628283b1f061d8e71d59a80da04a393fd4f15896d6d2676ade4ed585cc83ced7f2f7049cc27263bc60

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe

MD5 8233cf33c5e5e324587286544d1768de
SHA1 3cd03396c05f909495e3a3adb4f8c0639e14939c
SHA256 d70f8844150d065cda9c5ed553925968f3ca4636d6696e92273dc5473cf72768
SHA512 9985a129760d160ef9530ed9ebb220e910f675e09e0e5253b81d9a6d421a8892ae7b1fdb3037d27a42d08ea7a334a774beabc382fb20010183af4ad6b6a27525

memory/2000-15-0x0000000002C60000-0x0000000002D60000-memory.dmp

memory/2000-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2000-17-0x0000000004AB0000-0x0000000004ACA000-memory.dmp

memory/2000-18-0x0000000007250000-0x00000000077F4000-memory.dmp

memory/2000-19-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/2000-20-0x0000000007120000-0x0000000007138000-memory.dmp

memory/2000-24-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-48-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-46-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-44-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-42-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-40-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-38-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-36-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-34-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-32-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-30-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-29-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-26-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-21-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-22-0x0000000007120000-0x0000000007132000-memory.dmp

memory/2000-49-0x0000000002C60000-0x0000000002D60000-memory.dmp

memory/2000-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2000-50-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/2000-53-0x0000000000400000-0x0000000002B84000-memory.dmp

memory/2000-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe

MD5 61f34512991d2204f5b8c477131644e1
SHA1 2e6e3798ee5bca15f3524deed4cdd23e9d16252c
SHA256 37b0370c73e58a9104cefa61cbcee455cc49777abf2e836d68bf5dc848fd2b0f
SHA512 7c6fbde0543d5c358b49e3ce39fbe365b0aa3b25cebeaca9487565fad0a282418a355cb285f2fee58690794522dab29498561fad7711f88bdb126efb87821c1b

memory/1132-59-0x0000000004A00000-0x0000000004A46000-memory.dmp

memory/1132-60-0x00000000077B0000-0x00000000077F4000-memory.dmp

memory/1132-88-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-61-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-94-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-92-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-90-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-86-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-84-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-82-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-80-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-78-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-76-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-74-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-72-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-70-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-68-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-66-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-64-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-62-0x00000000077B0000-0x00000000077EF000-memory.dmp

memory/1132-967-0x00000000077F0000-0x0000000007E08000-memory.dmp

memory/1132-968-0x0000000007E70000-0x0000000007F7A000-memory.dmp

memory/1132-969-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

memory/1132-970-0x0000000007FD0000-0x000000000800C000-memory.dmp

memory/1132-971-0x0000000008120000-0x000000000816C000-memory.dmp