Malware Analysis Report

2025-06-15 23:47

Sample ID 241112-ygmqyszdql
Target 11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f
SHA256 11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f

Threat Level: Known bad

The file 11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:45

Reported

2024-11-12 19:48

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku156634.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku156634.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku156634.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f.exe

"C:\Users\Admin\AppData\Local\Temp\11cf29ce8286401bec5ee58788b3c60cb564da79c3cddd8a7fd66892a815287f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku156634.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku156634.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr402122.exe

MD5 015db5a7c065f354e78440f12985421a
SHA1 93d5f3e2217c27d2e3692429ed0cee04ccfb7a26
SHA256 044fc7993210b7d55ca3f7a13f7d489ee92c0b152e22ea441469a686f0f75024
SHA512 f89462aff2d677246ff6f54e585c745817401fc83f1d69a04cf5706d243d31759808cb55d8e0adcff39e2bd46909ed80682e535b38db503c8c563cd2bf628074

memory/4752-7-0x00007FFD64603000-0x00007FFD64605000-memory.dmp

memory/4752-8-0x0000000000300000-0x000000000030A000-memory.dmp

memory/4752-9-0x00007FFD64603000-0x00007FFD64605000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku156634.exe

MD5 1e2caa586c48fcadc74c6e8bdc016777
SHA1 7b7696495a9602623c4b0a6a07b473bb5ba2ac86
SHA256 661cf191ccd3ec28718a11f886e0a67792d8953430e00a0d9fb8fbcdccb12396
SHA512 678d02ec4b1f294163e78b217d3d204cf72b9a0f9329d47eaa3d891f324551ac689a9d340ea0c0e2bd1bf98f91311807990b3c310cec5b1f4673b259f696cb72

memory/1284-15-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/1284-16-0x0000000002CE0000-0x0000000002D2B000-memory.dmp

memory/1284-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1284-18-0x0000000004DD0000-0x0000000004E16000-memory.dmp

memory/1284-19-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/1284-20-0x0000000004ED0000-0x0000000004F14000-memory.dmp

memory/1284-21-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-38-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-84-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-82-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-80-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-78-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-76-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-74-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-72-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-70-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-68-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-66-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-64-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-62-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-61-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-58-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-56-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-54-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-52-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-50-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-48-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-46-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-44-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-42-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-40-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-36-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-34-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-32-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-30-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-28-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-26-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-24-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-22-0x0000000004ED0000-0x0000000004F0F000-memory.dmp

memory/1284-927-0x00000000078D0000-0x0000000007EE8000-memory.dmp

memory/1284-928-0x0000000007EF0000-0x0000000007FFA000-memory.dmp

memory/1284-929-0x0000000004F70000-0x0000000004F82000-memory.dmp

memory/1284-930-0x0000000004F90000-0x0000000004FCC000-memory.dmp

memory/1284-931-0x0000000008110000-0x000000000815C000-memory.dmp

memory/1284-932-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/1284-933-0x0000000002CE0000-0x0000000002D2B000-memory.dmp

memory/1284-935-0x0000000000400000-0x000000000044E000-memory.dmp