Malware Analysis Report

2025-01-23 07:39

Sample ID 241104-q9el2szmh1
Target b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b
SHA256 b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b

Threat Level: Known bad

The file b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:57

Reported

2024-11-04 14:00

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe
PID 4528 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe
PID 4528 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe
PID 4636 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe
PID 4636 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe
PID 4636 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe
PID 1552 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe
PID 1552 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe
PID 1552 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe
PID 2672 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe
PID 2672 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe
PID 2672 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe
PID 2040 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe
PID 2040 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe
PID 2040 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe

"C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe

MD5 b081f544c9e17030ff333fc8e8d3736d
SHA1 08b917bf3e058ae5a0460e89a8dfc5236d524512
SHA256 af3a30f681534110456b8dc0728c70c8ddd36e71a161402a41d7a5f0a4615c02
SHA512 ca270df6b170819d6a60aa2a9c31facb3b52b6482d00eec804296f938d692caef93ee9d152beed946c1f377a1b3857c7350946fa0b9c1b34ccb1f608c222e5f9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe

MD5 428d29fadb13f021df46bf96f97a2754
SHA1 448eb79b0d06b36a7c6ef672b62af3800fc34c9a
SHA256 19fdff5fa0020db4b841dd23e0be37055979607d77f797304e06e1adb90b0cac
SHA512 75a668cc91c1fd1a5df37d57d1314b7c710df84e1d2df39461af46cfd5ef55d1d601263188a5f3c0c35e4cccf9ec88dd42a2dab32e40fb8c311619558a06235e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe

MD5 00de60d4a49bb44dea9c7dd0debb5e2f
SHA1 48870a2d72f81dda4ab99a0e5cb6b552a14686a9
SHA256 96bd46766601793b6b5dfc74fb5d4e3b2df0c19b89fc30989b05135f394e3b56
SHA512 ea0fddc91198ba9aafad5f9c15db307b4a7649e2362acb4d5c004ba82b60c06acf73a8db06bef5d163571fa8bdec3bae1dfd5ae238822f70d797d0142489e153

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe

MD5 1bd69b4ba145898480aaeee8617b9fde
SHA1 f7ab62ced3f615cdba48b42f55331e876d5d6361
SHA256 a4f3a29f2624ca2abf419484cc695d83df3838c2e8061aacab90b5a110e27e0b
SHA512 5e07bcae35de1bdb3825e9d28218ccf1ddd2d50014f388125fb0dc719aca7c1ef830d29bc770ead5d9d359d154e5c442ebc56ffff620659912905d19daa972a5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe

MD5 16ee1204825723b06bf92eaca8080da9
SHA1 ad2589153e1999f62318ad35a4edc649728490e0
SHA256 ba2baac21ed3ffedd46215e26a8ca0a5b62676123519c5f5820b7319261e9ab1
SHA512 67bb784e7596927472203f9183d0ac9e6f7cfcf10e5059151fd7987f59229180d63f54d49cf3377eb0eeec97cab8c707678442bf4256b398edb68a409d0aad26

memory/2020-36-0x0000000002340000-0x000000000235A000-memory.dmp

memory/2020-37-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/2020-38-0x00000000024E0000-0x00000000024F8000-memory.dmp

memory/2020-66-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-64-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-62-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-60-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-58-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-56-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-54-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-52-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-50-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-48-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-46-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-44-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-42-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-41-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-39-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/2020-67-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2020-69-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe

MD5 b5784f01167cf5707b0828d509ab8c73
SHA1 dd3e4a274d0a20c2c2ca948bb0af0b07198c3080
SHA256 ac6942c0828fea94f6aa2743d853940b8df92d4b0d95153a508f7e7acc5c2f23
SHA512 8290b0de1d6d22830424c8ac7f27f24941387db9b0b02aa828dd80df48a78b1d09bc2d009d74d114090b1e72320686dd78323d3e12206ed13692563dc5d9a5b0

memory/2948-73-0x0000000000E40000-0x0000000000E70000-memory.dmp

memory/2948-74-0x00000000015B0000-0x00000000015B6000-memory.dmp

memory/2948-75-0x0000000005E00000-0x0000000006418000-memory.dmp

memory/2948-76-0x00000000058F0000-0x00000000059FA000-memory.dmp

memory/2948-77-0x00000000057B0000-0x00000000057C2000-memory.dmp

memory/2948-78-0x0000000005820000-0x000000000585C000-memory.dmp

memory/2948-79-0x0000000005870000-0x00000000058BC000-memory.dmp