Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-gpy1hsthml
Target 659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a
SHA256 659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a

Threat Level: Known bad

The file 659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

RedLine payload

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:59

Reported

2024-11-11 06:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3412 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe
PID 1292 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe
PID 1292 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe
PID 2044 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 2044 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 2044 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 3412 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
PID 2044 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe
PID 2044 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe
PID 2044 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe

Processes

C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe

"C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe

MD5 fa595d02a1e12f6f29917f91827478f0
SHA1 2235843fec1799a7274bd8f361cf1fbb300a4307
SHA256 829f24d7351a56ef7eba4bfb13c9ec6fc1775b4ed17ba70422ec0e420dcd5059
SHA512 dc44dcc2a6db23feb6c4bdaf269fd9bf3660277205ac960751237f67fc0122ccec53db3643a90c827ec049c6093390def8f1b2b98977f13de219b60adba6a057

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe

MD5 f1cedcd8d84a9fb0b2859dbbb92c9f70
SHA1 c31cd91c1fdf62ae91f73c57c6f13ae14cadda93
SHA256 9bf9655346b3984e1f5c859c39776318f43d6d21fc38ffae64c6bc732ccca3ec
SHA512 5926987beb0be1e8e194ff629aa9576c0f971aa8ed41e78dc715c19d9b2c66e742d815ac66a4c3f7db7c325dc047b2b342e690f3da95187380ff0d3df88f1b5a

memory/3412-15-0x0000000000720000-0x0000000000820000-memory.dmp

memory/3412-16-0x0000000000930000-0x000000000095E000-memory.dmp

memory/3988-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-22-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe

MD5 881e2f431c396967071e295bb7e71ddb
SHA1 d1fa9aaf59b94cd5d94e0bf09095534fca820410
SHA256 2ab6793794f87e49409a65fa75ad3d3c935be3223a5c641aff7ef643dfdb650d
SHA512 62eaf38b38516ca818518bea1136b387c643d566b9f60bc1f4a8e1ad6e833be2f91c906b661db6cc1ebf7e371da058208074c2fa3f1c1f410de17d29b528afae

memory/3988-27-0x0000000002290000-0x00000000022AA000-memory.dmp

memory/3988-28-0x0000000004B90000-0x0000000005134000-memory.dmp

memory/3988-29-0x0000000002520000-0x0000000002538000-memory.dmp

memory/336-30-0x0000000004A10000-0x0000000004A56000-memory.dmp

memory/3988-58-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-56-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-59-0x0000000004A90000-0x0000000004AD4000-memory.dmp

memory/3988-54-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-53-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-50-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-48-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-46-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-44-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-42-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-40-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-38-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-36-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-34-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-32-0x0000000002520000-0x0000000002532000-memory.dmp

memory/3988-31-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-61-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/336-966-0x0000000005190000-0x00000000057A8000-memory.dmp

memory/336-967-0x00000000057B0000-0x00000000058BA000-memory.dmp

memory/336-968-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/336-969-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/336-970-0x0000000005A40000-0x0000000005A8C000-memory.dmp