Malware Analysis Report

2025-04-03 14:18

Sample ID 241110-dftsnaxncs
Target 4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681
SHA256 4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681

Threat Level: Known bad

The file 4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Detects Healer an antivirus disabler dropper

Healer family

Redline family

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:57

Reported

2024-11-10 03:00

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe
PID 3640 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe
PID 3640 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe
PID 4300 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe
PID 4300 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe
PID 4300 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe
PID 3924 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe
PID 3924 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe
PID 3924 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe
PID 2724 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe
PID 2724 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe
PID 2724 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe
PID 1088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe
PID 1088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe
PID 1088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe
PID 1088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe
PID 1088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe
PID 1088 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe

"C:\Users\Admin\AppData\Local\Temp\4fc16380c35e8fd8a85abb07ebd6d27618277fd952f95bcb1a024b1e73685681.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1016 -ip 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6127959.exe

MD5 bc6eeaa009be69cc918985c750b930c5
SHA1 0c5e9f8c8c958f42880ec8b9626dbddd22b3e500
SHA256 32c186e16f6642c1b09b109a681dbd0346d95debac48303bd2ddb698a235d220
SHA512 addbc98cda12c67d04e477230f21c8b591ab1a15b8a67fdf10b77490c5a845bcfaf4a1ad46398f0468c00111326f952b9bffd222c48563f8690b1555c1e0d958

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3849232.exe

MD5 4facb6e95c898b5247eb49829fdf80ac
SHA1 21f3dc101c5c3fdd9d1a5057d34b92e6fce03131
SHA256 fc023cd558e0ca11d5187a85126d79655170e1e4deebcb7cb6e147062d31afd1
SHA512 e61f2f8fb23b21646de8b20a00b5911155228ba4b3ea1b661f95aca32432aee42ea4b54be735983d1083d023beeb7f91f356eb211a3658b76f22f777bb54fc83

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1877022.exe

MD5 ab30280deaa83c0e4cc11f6d1c9ba82a
SHA1 836f83d13a50f1a74f7209275050003703e1489f
SHA256 1267e8c274f022f872bac351737079d99f6b239708b2daac3db0f599e581744d
SHA512 2a2b65ae4027768852f995561098568685a4fb855928b83c116e90d18fb36f68b4d50e2d63b462f7dd3103d59736fcf3746e22d850d0eb4a48c2c9fbfe18562b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9217539.exe

MD5 f0b0605044d8928d48c95221d8e83d02
SHA1 c9ca33854f0b1238cd02d6f1bbf041bff7ee167a
SHA256 fcff1dc6c624fb7f32f09ef47b6e38a4e50d9224f2c269e68b4e59a976b05ccd
SHA512 56ab0a04c5091e2a8f5b6a1364f4a7d00130f284494702ba9e461aa1a1a12b83374f2e771a161723e39c706f3510bf67e7de4eade1a64540e21a17239a591a60

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2662115.exe

MD5 fcb272cd0c4ce7d2d106cfd6b1839d9a
SHA1 214aaa0337be7ceb09a8ff6ad3d1babcd8294b68
SHA256 94710195d75880b9fa3e928660094f76da05f0f1b7a089dcfcd1b20d1f920d7c
SHA512 f7ef0f93bd0955ff7716a0011b9bf9a3354d21c2c530e5a648a199971e7f0dc6297c1a53b2a92fbe4a75c9f7a76d4c9d13c114d472eb0009040f302965e410ed

memory/1016-36-0x0000000004C20000-0x0000000004C3A000-memory.dmp

memory/1016-37-0x0000000004D60000-0x0000000005304000-memory.dmp

memory/1016-38-0x0000000004C90000-0x0000000004CA8000-memory.dmp

memory/1016-64-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-66-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-62-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-60-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-58-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-56-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-54-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-52-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-50-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-46-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-42-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-40-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/1016-67-0x0000000000400000-0x00000000006F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0900748.exe

MD5 32cf00417d14b8f8bc81959f095b1104
SHA1 9fd8734332a3c82e7f8377bc109b0562e15c75f9
SHA256 6e101fc9abbc2e2367ac557d7fe3f7170d17d125209c8d9e091794f13497dd88
SHA512 a04bcf84520fae186a04f9d6927857aeb00832c6b8c1d27fcd894fcf4ef1ecb94e54670319149508f24fcb89a8705268906d6f0b1834295de5e810f6521ee157

memory/1016-69-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/8-73-0x00000000005C0000-0x00000000005E8000-memory.dmp

memory/8-74-0x0000000007850000-0x0000000007E68000-memory.dmp

memory/8-75-0x00000000072E0000-0x00000000072F2000-memory.dmp

memory/8-76-0x0000000007450000-0x000000000755A000-memory.dmp

memory/8-77-0x0000000007390000-0x00000000073CC000-memory.dmp

memory/8-78-0x0000000004860000-0x00000000048AC000-memory.dmp