Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-dk835sycne
Target 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327
SHA256 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327

Threat Level: Known bad

The file 7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

Redline family

Healer family

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:05

Reported

2024-11-10 03:07

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe
PID 5004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe
PID 5004 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe
PID 3004 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe
PID 3004 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe
PID 3004 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe
PID 2740 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe
PID 2740 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe
PID 2740 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe
PID 2740 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe
PID 2740 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe
PID 2740 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe

"C:\Users\Admin\AppData\Local\Temp\7f6f6011244070d337f18c8865e2e5fc25049d06c1897fdc39410dc95799b327.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un838803.exe

MD5 b0d99d9b7affd14772ae17187b083f87
SHA1 1efbc3cd84d1750b5277ee27d0ff09e5b2d1a676
SHA256 fba0e2f0650b317f0c34bb69a77f104a045fefc7d813d1566918ee42ac83cca6
SHA512 20539aa98fea60d12e169803a63c2f40f79bf7ff06edb4e79fb174c7abfa87767300ae5a3fb8982f5c8a07f863ef6187e815b6722d713322f75a8ebfaa50d500

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un147864.exe

MD5 2afd353f1c65f3ef24f9f53ca1c31bd8
SHA1 e71abc0fc3f263edf60170184e67c1c7e9a792d4
SHA256 3b35378c348fd70cae4463a0e86ff98b4201593dcc4e6e517f4e39b991d18413
SHA512 f18ef1da522ac606f57be275b1c48d9dbef72fe9a64eb633967d5ddacabd6c49b6ad5ae9eec08fbd274850f969f39aea196e92d5addcb5542c7a2e358d591abd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr863125.exe

MD5 e689c35ff590bdc0f623384c59e6ac2d
SHA1 b3153ed1584105b60984616a3ccd81433413b936
SHA256 e4908ec29b1e70e744e6c1bb0f03d4c7e13fdd6f362f76ec511ec560fb1e06ab
SHA512 79bfadfcdf57fb7c639f836172e20aa6e3e788f837868f694243d71dd75dc5429df98a9b515450ffd110122fe45892961be77c399f9a4d15409e7f3a75850a9f

memory/2304-22-0x0000000004BC0000-0x0000000004BDA000-memory.dmp

memory/2304-23-0x00000000073F0000-0x0000000007994000-memory.dmp

memory/2304-24-0x0000000004D00000-0x0000000004D18000-memory.dmp

memory/2304-52-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-50-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-49-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-47-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-44-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-42-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-40-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-38-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-36-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-35-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-32-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-30-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-28-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-26-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-25-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2304-53-0x0000000000400000-0x0000000002BB5000-memory.dmp

memory/2304-55-0x0000000000400000-0x0000000002BB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu860555.exe

MD5 2edd4af48745235506dae16413ba52ab
SHA1 1412594f6a94337a1217a99652d8338e65551ce5
SHA256 830e75db80b45010ee40db46938f64f8fde0105bb44ba8e094c44333674e8207
SHA512 8f53a41572d6b3a2d503f58db127abbae2949ad80983fcc0833f6bb1ddfc9f44d79fdea3e18977014b1e20b685dd30fd495b581d2e56174ae9949cf73563f7bd

memory/4112-60-0x00000000049B0000-0x00000000049EC000-memory.dmp

memory/4112-61-0x0000000007760000-0x000000000779A000-memory.dmp

memory/4112-65-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-77-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-95-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-93-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-92-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-89-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-87-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-85-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-855-0x000000000A350000-0x000000000A362000-memory.dmp

memory/4112-856-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/4112-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/4112-83-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-81-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-80-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-75-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-73-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-71-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-69-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-67-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-63-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-62-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4112-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/4112-858-0x0000000006B70000-0x0000000006BBC000-memory.dmp