Malware Analysis Report

2025-04-03 14:18

Sample ID 241110-dgp6vsyakq
Target 3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b
SHA256 3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b
Tags
healer redline ruzhpe discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b

Threat Level: Known bad

The file 3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b was found to be: Known bad.

Malicious Activity Summary

healer redline ruzhpe discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Healer

RedLine payload

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:59

Reported

2024-11-10 03:01

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe
PID 1300 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe
PID 1300 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe
PID 4924 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe
PID 4924 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe
PID 4924 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe
PID 4924 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe
PID 4924 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe
PID 4924 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe

"C:\Users\Admin\AppData\Local\Temp\3174da51e95b35d2f024b352cfde35836bed254eb412a6c41f555e04e094583b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1016

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycor78Cd05.exe

MD5 93bf81fc901946a3d118ee1e6a79a2e1
SHA1 14a0eff4adbdd33ae6600868db75c9b475e5a49d
SHA256 a77a561dd4afd56577bb2f8cda977cee08dffbc2d35526edfd57c67a010f9d11
SHA512 c926609c309e5cbb93b0c0cadedb259964451abc7f6532b30a9263652770a5e8ba32412730fd73728128942185831cb58d96d9cca6ecec58d9f1b7c4099050f5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urvo97wR93.exe

MD5 1f2dffeb3be61b7f59bea1593b2542fa
SHA1 92c410b0dc87bcdd8722a0cbb6bc72e8742f3e4e
SHA256 b6a85958be9314965b992380492628808c92bea16b4a4e84637c0bb2d2851266
SHA512 abecf645ea38dfd5bf8769df9c015cd16251fbde0b22a1662bd493f256225bc3b3ac7bd2dee4a0678b855f619545a09d8a3a7810a949b399b1f27e192b3d4952

memory/1632-15-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/1632-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1632-17-0x0000000004860000-0x000000000487A000-memory.dmp

memory/1632-18-0x00000000074A0000-0x0000000007A44000-memory.dmp

memory/1632-19-0x00000000072C0000-0x00000000072D8000-memory.dmp

memory/1632-20-0x0000000000400000-0x0000000002BC5000-memory.dmp

memory/1632-36-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-48-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-46-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-44-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-42-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-40-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-38-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-34-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-32-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-30-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-28-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-26-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-24-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-22-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-21-0x00000000072C0000-0x00000000072D2000-memory.dmp

memory/1632-49-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/1632-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1632-53-0x0000000000400000-0x0000000002BC5000-memory.dmp

memory/1632-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrdR53GI11.exe

MD5 97581d18424b6968bffda63f4e27c2b0
SHA1 501bc8daae8308a502ceae32244e79e55d2282c3
SHA256 99908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30
SHA512 bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba

memory/3828-59-0x0000000007180000-0x00000000071C6000-memory.dmp

memory/3828-60-0x00000000077C0000-0x0000000007804000-memory.dmp

memory/3828-62-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-94-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-93-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-90-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-88-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-86-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-84-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-82-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-80-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-76-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-74-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-72-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-70-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-68-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-67-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-64-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-61-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-78-0x00000000077C0000-0x00000000077FE000-memory.dmp

memory/3828-967-0x0000000007810000-0x0000000007E28000-memory.dmp

memory/3828-968-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/3828-969-0x0000000007FF0000-0x0000000008002000-memory.dmp

memory/3828-970-0x0000000008010000-0x000000000804C000-memory.dmp

memory/3828-971-0x0000000008160000-0x00000000081AC000-memory.dmp