Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-znqxmawngs
Target cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2
SHA256 cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2

Threat Level: Known bad

The file cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2 was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:52

Reported

2024-11-04 20:54

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe
PID 5020 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe
PID 5020 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe
PID 3812 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe
PID 3812 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe
PID 3812 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe
PID 116 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe
PID 116 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe
PID 116 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe
PID 1248 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe
PID 1248 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe
PID 1248 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe
PID 4884 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe
PID 4884 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe
PID 4884 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe
PID 4884 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe
PID 4884 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe
PID 4884 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe

"C:\Users\Admin\AppData\Local\Temp\cbc04478a960d27775de34f514711320184b4c3debdd89323b807dcb6a1ad8e2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 92.160.77.104.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7996420.exe

MD5 afd471a223b1be6a4f63a346366b6fef
SHA1 def8e2018175b50a2951161b903b39e81740eb3a
SHA256 a96f7ff06303060c18eaf292009eab4eb6267dddd526c658fe1978995d1802ac
SHA512 913f7ace08b6377c3d2e12e28e809bb606a075f609b3873a6dad2158141ed6c9ebaf22116e3912c08a7a87ea8fa52f31c7a648e42482e464161b98cdce51e475

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1920891.exe

MD5 92567c9c6dd81a243337ffc0a9ffbb03
SHA1 2412281d831b604e1ef69af345d7209e58a4973c
SHA256 705b88d852aae8e0ae8d25bf05f8c7bdff32ddc3e4b6ca08bea75bdf10d76650
SHA512 9e02666362e1ccbcb4888eb5fe88a2a4197b573cdb86894381bdb9eeab978eede5ad6da269e46ae1588f300f40e90579d2dbc3934730cfc1e5cf43aada301a9f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1852748.exe

MD5 abbfac920ff5dbf10cb0e31f89cc4e3a
SHA1 8f40935bd5b61e16e0d98230d52ac283513bcb97
SHA256 3647d552a5d67bb59020ebea4cb90ba154366535c65d7b4933daa07bfd55e9f1
SHA512 c0f4ebb1d211f8e5ca511b8363051efb58349f7c74f8af54b3d8d57c901dcfc2dcef3f6c9d45eb6bbffcac91730cfa5255d35f9aee2ebf0edebf9b7c93619695

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8449676.exe

MD5 ba0bbe1fdfc2d8cd8b28b24e7534f1dd
SHA1 c6b69d26401a222ae6dc90feb18d007af63b3cdf
SHA256 e989b4d959cd759ac56db8b61c9eae32bf5ceb606c557b5d97c97eeace2456ff
SHA512 dacb520864b44e24b35e82e81cf87165a5efb38c5ffdfaee53fd6b29821bfb62b396dd5bdecc0d09af6661c8f570adbb78c8b58ddd93ffd150d49f84ea3ad509

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2053324.exe

MD5 89159e7e722c0bd8698dd5247e2c45b5
SHA1 84404e8836c0bbac5dcecf5a26ed6198c0c35b5b
SHA256 6cc811b9a271fc60ef69be0c2b23500e9a3c735d02836417173204416fe26a5e
SHA512 a5291bb0e033b2ad8df73b8242d16cf2cd71c15af1154f0830793f925475ca9731b2dec8455696ce19f3853623790b2ba1f3b2ee8ff73787d12bbcb3f5fb03bd

memory/4688-36-0x00000000025E0000-0x00000000025FA000-memory.dmp

memory/4688-37-0x0000000004EF0000-0x0000000005494000-memory.dmp

memory/4688-38-0x0000000002840000-0x0000000002858000-memory.dmp

memory/4688-39-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-48-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-66-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-65-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-62-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-61-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-58-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-56-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-54-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-52-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-50-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-46-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-44-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-42-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-40-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4688-67-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5632318.exe

MD5 f26f7b379e9387116773223a40595ffa
SHA1 521c6c00df3625cfdf1f4a1bd6441f47ffba5cf4
SHA256 86670decab8f619fb3f382f88fbb18f02755d1f529126aa92e23fd8637804254
SHA512 0c250b40be0ac938e55b3f8208f1edab8a802f16e55144918520a19a77829efee39ac06f6767bdc11d7923a1be5b61fc41e0c05618c252c9a9c929a12f8e4a09

memory/4688-69-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/4088-73-0x0000000000AD0000-0x0000000000B00000-memory.dmp

memory/4088-74-0x00000000052F0000-0x00000000052F6000-memory.dmp

memory/4088-75-0x000000000AF20000-0x000000000B538000-memory.dmp

memory/4088-76-0x000000000AA80000-0x000000000AB8A000-memory.dmp

memory/4088-77-0x000000000A9B0000-0x000000000A9C2000-memory.dmp

memory/4088-78-0x000000000AA10000-0x000000000AA4C000-memory.dmp

memory/4088-79-0x0000000004DA0000-0x0000000004DEC000-memory.dmp