Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-dfecza1lhl
Target 5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255
SHA256 5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255

Threat Level: Known bad

The file 5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:56

Reported

2024-11-10 02:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe
PID 4940 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe
PID 4940 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe
PID 4820 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe
PID 4820 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe
PID 4820 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe
PID 4820 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe
PID 4820 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe
PID 4820 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe

"C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe

MD5 734cba86ed2dbffc653adb8c02725c3b
SHA1 a6a0d09a304da5c71ce571f6b7915b77da432a5c
SHA256 fbedf4032be3cc519695fba0a65af759a0c56cea067a14b1de9a43ccdb16d9f8
SHA512 a7c9217d6f7d4f171ab80e59b6873fc63867504b222c0f231c48be819079e1856f22629099310c9db7ce0fe7f8f11bbeb454802d796f011e5adf0029d9fd9750

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe

MD5 c15ccb81b573b60fb5ef418bc3e2bb5a
SHA1 f46d4fb3ee4137b42c35cea9650af5c79819beb8
SHA256 ca927894c8adf93de313630314fd5af48248cb87cfe0ae6e73382b19c3b20506
SHA512 9d8a703ef7a71c032471b3ccb01e40835848dea401d9f2c8f655fb7717b0251b2922495e95a8c98da3c049d8a2efd81e05aaf47dda9d987c18b23f4735a42818

memory/4756-15-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/4756-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/4756-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4756-18-0x0000000004C10000-0x0000000004C2A000-memory.dmp

memory/4756-19-0x0000000007150000-0x00000000076F4000-memory.dmp

memory/4756-20-0x0000000007120000-0x0000000007138000-memory.dmp

memory/4756-40-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-48-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-46-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-44-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-42-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-38-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-34-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-32-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-30-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-28-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-26-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-24-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-22-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-21-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-36-0x0000000007120000-0x0000000007132000-memory.dmp

memory/4756-49-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/4756-51-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/4756-50-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/4756-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4756-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

MD5 56203a56c0edb3bf12eed435620a4ed1
SHA1 fd07f3ad845f84ea43f8656779675ef80514aa17
SHA256 e532e60e3e0071f42f16d01a9b74207712325e9c13e96ddc193e4912dc7cf4ea
SHA512 95b2b62e5fb5d947dd2de68391898da5b922fc2bb3f53abee500de459594258791ad64616d65c0d73100b1fbba43f1f2f0adfa5367ef4a7a3fdad4ca5fbb9eda

memory/4756-54-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/3804-60-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

memory/3804-61-0x0000000004C90000-0x0000000004CCA000-memory.dmp

memory/3804-67-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-79-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-96-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-91-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-89-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-87-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-85-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-855-0x00000000072D0000-0x00000000072E2000-memory.dmp

memory/3804-854-0x0000000009D30000-0x000000000A348000-memory.dmp

memory/3804-81-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-77-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-75-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-73-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-71-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-69-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-93-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-83-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-65-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-63-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-62-0x0000000004C90000-0x0000000004CC5000-memory.dmp

memory/3804-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/3804-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/3804-858-0x0000000004730000-0x000000000477C000-memory.dmp