Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-gp4wrsthmq
Target 3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe
SHA256 3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df

Threat Level: Known bad

The file 3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:59

Reported

2024-11-11 06:01

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3688.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3688.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3688.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe

"C:\Users\Admin\AppData\Local\Temp\3cd0a689da12281c3039ae8c47dedbe92d12b41cf39c9c9f4495eae43a7a22df.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3688.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3688.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro3073.exe

MD5 031c99873a1eda636d736a7197f50788
SHA1 0f9ed5db08bcb04c1118d26b7657bcdb1a266895
SHA256 68b39dc0d76a3ab0bc442a513e50698ed850288c7bdc5a80b2e23085579f2f53
SHA512 61fc3f52e52d13d1c7ec7ee569d9ab8a35ab363f895729a1768b9fa31170e50d8d58144237ad544d34b104439bb8fa4de6c0b5954eee4aac43d7609b110fbf8a

memory/2360-8-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/2360-9-0x0000000002B80000-0x0000000002BAD000-memory.dmp

memory/2360-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2360-11-0x0000000002F00000-0x0000000002F1A000-memory.dmp

memory/2360-12-0x00000000072A0000-0x0000000007844000-memory.dmp

memory/2360-13-0x0000000004BD0000-0x0000000004BE8000-memory.dmp

memory/2360-14-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2360-24-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-40-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-38-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-37-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-29-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-42-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-20-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-18-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-16-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-15-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/2360-43-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/2360-44-0x0000000002B80000-0x0000000002BAD000-memory.dmp

memory/2360-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2360-49-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2360-50-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3688.exe

MD5 039056ffa063b9170f04198c720988db
SHA1 dcd82c9175800997faee05702d26837da2e735e0
SHA256 a4595d1fa311d00de4a86134b05f876289ac2f2a902c670fd0778410b2f831d5
SHA512 52f8af7045f1af5cc0c71d1cfd6fbffa6207dd72c1b07bc42c7e6b618de068765193845d81968aeb3278c0479dd16166d900289d1174d54ea9538ae549f32fbb

memory/1088-55-0x0000000004A20000-0x0000000004A66000-memory.dmp

memory/1088-56-0x00000000077A0000-0x00000000077E4000-memory.dmp

memory/1088-58-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-70-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-90-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-88-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-86-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-84-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-82-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-80-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-76-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-74-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-73-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-68-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-66-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-64-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-62-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-60-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-78-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-57-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/1088-963-0x00000000077E0000-0x0000000007DF8000-memory.dmp

memory/1088-964-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/1088-965-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/1088-966-0x0000000008000000-0x000000000803C000-memory.dmp

memory/1088-967-0x0000000008140000-0x000000000818C000-memory.dmp