Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-dfmdksybng
Target 7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526
SHA256 7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526

Threat Level: Known bad

The file 7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:57

Reported

2024-11-10 02:59

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijQ2427.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku560443.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijQ2427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku560443.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526.exe

"C:\Users\Admin\AppData\Local\Temp\7a394e2e5eb30c16a0d1cc06ff7ae76493b1619f92afb47d3da82505ca86f526.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijQ2427.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijQ2427.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku560443.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku560443.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijQ2427.exe

MD5 cd791fbb07570f6f54e61295bf57a3c3
SHA1 3e7a377b2e5f9b80fb30c56eaa0b5a7f830ce0d1
SHA256 0dc6d7f4024ac40ee9f2a5e8f1ed65bda4ba5f5f3ae62aa8a89290efa0898e5f
SHA512 c1f8f5341d417ae5b8556597fef588f16d15d97d0ff8226be0ac52f5b5fcee752fddb13eaee6f119529d6c4faad121f133da89dbd21334475893ea1bedf9e0ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr673164.exe

MD5 e3839584bc1c3276b6120b1e05a748a8
SHA1 55d531f47107d1d2ed8a2d5da69c0d7570ed32bd
SHA256 1fa5f9096051c9991130b593b049dd9a53a890f2ae5367e977b79aefbda5472c
SHA512 6fa2541755154b3ee41f6bdbad4828c63e5235fec4808ae4c91737ae50bbbf667480651168948d9629ad16772595af3a6dc8788b98e7dd9ec51b29973da559fa

memory/3636-15-0x00000000007A0000-0x00000000007AA000-memory.dmp

memory/3636-14-0x00007FFD3FA63000-0x00007FFD3FA65000-memory.dmp

memory/3636-16-0x00007FFD3FA63000-0x00007FFD3FA65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku560443.exe

MD5 641a54afa65feb5a01244005f925d11d
SHA1 20ea0d27b56b35ea14582946b0c62fa44d61ef88
SHA256 ed23c38864d6ba91c616b0827ef79d0303048d8a7ea0c613c3c3ad2b920e24d0
SHA512 b8efc5f8d3a7125e70c29cb5bd072fb0403e9066a5c343b80a89997a1a338f8759d302ff677b24108baedf550f35a1bfced9a5df1a992e3b656c8c37c1f43e99

memory/3220-22-0x0000000004E60000-0x0000000004EA6000-memory.dmp

memory/3220-23-0x0000000005010000-0x00000000055B4000-memory.dmp

memory/3220-24-0x0000000004F30000-0x0000000004F74000-memory.dmp

memory/3220-38-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-42-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-88-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-86-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-84-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-82-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-78-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-76-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-74-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-72-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-70-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-68-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-66-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-64-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-62-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-60-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-56-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-54-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-52-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-50-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-48-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-46-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-44-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-40-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-36-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-34-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-32-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-30-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-80-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-58-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-28-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-26-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-25-0x0000000004F30000-0x0000000004F6F000-memory.dmp

memory/3220-931-0x00000000055C0000-0x0000000005BD8000-memory.dmp

memory/3220-932-0x0000000005C30000-0x0000000005D3A000-memory.dmp

memory/3220-933-0x0000000005D70000-0x0000000005D82000-memory.dmp

memory/3220-934-0x0000000005D90000-0x0000000005DCC000-memory.dmp

memory/3220-935-0x0000000005EE0000-0x0000000005F2C000-memory.dmp