Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hkwv2aykhq
Target 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874
SHA256 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874

Threat Level: Known bad

The file 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Healer family

Redline family

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:48

Reported

2024-11-11 06:50

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe
PID 1588 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe
PID 1588 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe
PID 4852 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe
PID 4852 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe
PID 4852 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe
PID 4852 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe
PID 4852 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe
PID 4852 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe

"C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe

MD5 ff82513d4ab62580ba819cfd17d4d03b
SHA1 70b750f8fd5a4c874f45c0c7ea1ba4e285237973
SHA256 9dd9bf0345e46b13b0d67ff0b29bc31015fda6d30685afdee6e400cbd6a6efc6
SHA512 6851c870be753e60111620617565bf7160eff5b5b295b945f0a2a697e97babd8269f69758d7469aedda0b37e0e0363592879e022986f07f5f1c7d985b8f80343

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe

MD5 34cd1b5b9913a60bd4cf52d251f34cad
SHA1 8f3a4d03e205e37b508e3814aa108cd055265757
SHA256 0765baeb28ff84e372d5ebc6df2e0ee31378f76546b040b531bdf48a4d615938
SHA512 9eb686159554970c6913b9f92887914be1067b07f9cf68b9025e65de6aeb10a42e09ae1d0fabd3fc9f2dc8c2756619becf50492e1897f41baa8c8f74b2039909

memory/3988-16-0x0000000000630000-0x000000000065D000-memory.dmp

memory/3988-15-0x0000000000720000-0x0000000000820000-memory.dmp

memory/3988-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-18-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/3988-19-0x0000000002310000-0x000000000232A000-memory.dmp

memory/3988-20-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/3988-21-0x0000000002380000-0x0000000002398000-memory.dmp

memory/3988-22-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-29-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-49-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-47-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-45-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-44-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-41-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-37-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-35-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-33-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-31-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-27-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-25-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-23-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-39-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3988-50-0x0000000000720000-0x0000000000820000-memory.dmp

memory/3988-51-0x0000000000630000-0x000000000065D000-memory.dmp

memory/3988-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-55-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/3988-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe

MD5 186c74475e74be37fa4a0270b661dc1e
SHA1 9cae0e0f14039347e1fb7ffc260453c68ff9d1bb
SHA256 0166fec5b379d176639b1e3ecfb6881b1f143580c3cd6c09ff45e0c9d983ae04
SHA512 f65b920186b7b6475125314430c6cb72741ff43f2a30f4aeb60c0045646b51179c76725bec5cddc68cda4f9139c17ea96bfff45e94265452aaddbfff594f3869

memory/1236-61-0x00000000024D0000-0x0000000002516000-memory.dmp

memory/1236-62-0x0000000004AA0000-0x0000000004AE4000-memory.dmp

memory/1236-66-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-72-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-70-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-68-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-82-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-64-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-63-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-96-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-94-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-92-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-90-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-88-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-86-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-84-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-80-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-78-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-76-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-74-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

memory/1236-969-0x0000000005150000-0x0000000005768000-memory.dmp

memory/1236-970-0x0000000005780000-0x000000000588A000-memory.dmp

memory/1236-971-0x00000000058C0000-0x00000000058D2000-memory.dmp

memory/1236-972-0x00000000058E0000-0x000000000591C000-memory.dmp

memory/1236-973-0x0000000005A30000-0x0000000005A7C000-memory.dmp