Malware Analysis Report

2025-04-03 14:19

Sample ID 241110-dg72ns1mdq
Target 5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255
SHA256 5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255

Threat Level: Known bad

The file 5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Healer

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:59

Reported

2024-11-10 03:02

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe
PID 2992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe
PID 2992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe
PID 1756 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe
PID 1756 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe
PID 1756 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe
PID 1756 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe
PID 1756 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe
PID 1756 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe

"C:\Users\Admin\AppData\Local\Temp\5701ec340c27349ccfa23fcca352a45971d96613d6484e2241e6f1c929310255.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 396 -ip 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500144.exe

MD5 734cba86ed2dbffc653adb8c02725c3b
SHA1 a6a0d09a304da5c71ce571f6b7915b77da432a5c
SHA256 fbedf4032be3cc519695fba0a65af759a0c56cea067a14b1de9a43ccdb16d9f8
SHA512 a7c9217d6f7d4f171ab80e59b6873fc63867504b222c0f231c48be819079e1856f22629099310c9db7ce0fe7f8f11bbeb454802d796f011e5adf0029d9fd9750

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93457949.exe

MD5 c15ccb81b573b60fb5ef418bc3e2bb5a
SHA1 f46d4fb3ee4137b42c35cea9650af5c79819beb8
SHA256 ca927894c8adf93de313630314fd5af48248cb87cfe0ae6e73382b19c3b20506
SHA512 9d8a703ef7a71c032471b3ccb01e40835848dea401d9f2c8f655fb7717b0251b2922495e95a8c98da3c049d8a2efd81e05aaf47dda9d987c18b23f4735a42818

memory/396-15-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

memory/396-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/396-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/396-18-0x0000000004DA0000-0x0000000004DBA000-memory.dmp

memory/396-19-0x00000000074B0000-0x0000000007A54000-memory.dmp

memory/396-20-0x0000000004E20000-0x0000000004E38000-memory.dmp

memory/396-24-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-28-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-48-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-46-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-44-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-42-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-40-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-38-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-36-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-32-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-30-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-26-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-22-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-34-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-21-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/396-49-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

memory/396-50-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/396-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/396-51-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/396-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk366009.exe

MD5 56203a56c0edb3bf12eed435620a4ed1
SHA1 fd07f3ad845f84ea43f8656779675ef80514aa17
SHA256 e532e60e3e0071f42f16d01a9b74207712325e9c13e96ddc193e4912dc7cf4ea
SHA512 95b2b62e5fb5d947dd2de68391898da5b922fc2bb3f53abee500de459594258791ad64616d65c0d73100b1fbba43f1f2f0adfa5367ef4a7a3fdad4ca5fbb9eda

memory/396-54-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/3796-61-0x0000000007750000-0x000000000778A000-memory.dmp

memory/3796-60-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

memory/3796-63-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-62-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-67-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-93-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-91-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-89-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-87-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-85-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-84-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-81-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-79-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-77-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-75-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-71-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-69-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-65-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-95-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-73-0x0000000007750000-0x0000000007785000-memory.dmp

memory/3796-855-0x000000000A340000-0x000000000A352000-memory.dmp

memory/3796-854-0x0000000009C80000-0x000000000A298000-memory.dmp

memory/3796-856-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/3796-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/3796-858-0x0000000004980000-0x00000000049CC000-memory.dmp