Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-eash3sxapj
Target ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93
SHA256 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93

Threat Level: Known bad

The file ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93 was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:44

Reported

2024-11-09 03:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe
PID 3920 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe
PID 3920 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe
PID 4556 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe
PID 4556 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe
PID 4556 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe
PID 4556 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe
PID 4556 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe
PID 4556 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe
PID 2872 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe C:\Windows\Temp\1.exe
PID 2872 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe C:\Windows\Temp\1.exe
PID 2872 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe C:\Windows\Temp\1.exe
PID 3920 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe
PID 3920 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe
PID 3920 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe

"C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe

MD5 6b374084032be67bedfdcc082de439a0
SHA1 2ca5793c18f07d0c456c81e53057e470c3dcb31b
SHA256 b756f24e4cbf6b6151d95e0d25bcaa1d59f58de5742b3c5b08373c90f1604648
SHA512 0a67dc400573295eab47f6fbf36159d212e619a70c37fb41be6e1e2d53ef308393666e7d4a1141c537aeaa27a90d299dbc05a19ee61fa04819a99055d983f92f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe

MD5 9bc12f29b331507bdb5f607bdecbd64a
SHA1 db23d36642f7b3f086d3e26ee82d525c6002f4c6
SHA256 783ce6f1acfd8266d672a9ddf2193154f2a14cfdb911df082b53dbb3c8cfeacc
SHA512 c22fe639e5561035c02bc0208fa0393810b8b1a313a04cb48c66ace6d947485d05d8696d6bcb8a18adaf171a72ecac4aa3dcf0554f3dd431b6936d4a0703c6d4

memory/5072-16-0x0000000000970000-0x000000000099D000-memory.dmp

memory/5072-15-0x0000000000A30000-0x0000000000B30000-memory.dmp

memory/5072-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5072-18-0x0000000000400000-0x0000000000807000-memory.dmp

memory/5072-19-0x0000000002780000-0x000000000279A000-memory.dmp

memory/5072-20-0x0000000004EA0000-0x0000000005444000-memory.dmp

memory/5072-21-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

memory/5072-23-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-25-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5072-50-0x0000000000A30000-0x0000000000B30000-memory.dmp

memory/5072-51-0x0000000000970000-0x000000000099D000-memory.dmp

memory/5072-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5072-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5072-55-0x0000000000400000-0x0000000000807000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe

MD5 fedb9535573fa0657e99313221c438df
SHA1 e065225b34ed492635f682b04c104c81016ca9a4
SHA256 e938b8e76cf47d16377b3a76fa9e96cd7b131d3ef747aee7e52ada6c2ca2f94a
SHA512 ebe84b74ff6bcce9d470de27e8458a26a221ee65d915d2ee6c204f617a15a2c220607b93fe51d7150461574b972693ef0e8a156902856b6573bdcb71f8cd53f0

memory/2872-61-0x00000000028C0000-0x0000000002926000-memory.dmp

memory/2872-62-0x0000000002A30000-0x0000000002A96000-memory.dmp

memory/2872-66-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-70-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-68-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-90-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-80-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-64-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-63-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-96-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-94-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-92-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-88-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-86-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-84-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-82-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-78-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-76-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-74-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-72-0x0000000002A30000-0x0000000002A8F000-memory.dmp

memory/2872-2143-0x00000000050A0000-0x00000000050D2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4740-2156-0x0000000000980000-0x00000000009B0000-memory.dmp

memory/4740-2157-0x00000000052A0000-0x00000000052A6000-memory.dmp

memory/4740-2158-0x0000000005970000-0x0000000005F88000-memory.dmp

memory/4740-2159-0x0000000005460000-0x000000000556A000-memory.dmp

memory/4740-2160-0x00000000052F0000-0x0000000005302000-memory.dmp

memory/4740-2161-0x0000000005390000-0x00000000053CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe

MD5 431c85d48f449c8ef14d544c312bf925
SHA1 5b4949d806f85d1d003acce4d6728da4911a3856
SHA256 cdbefdcb9b74b27294932ecb43f2608f097a17b0d9e3bf65b20ea31b101c6a11
SHA512 481d2803523e995d017c96d1bf5298b5de433458f9bbe7e4729a54a8a58a9431d37505cfaf3b8f86f27ab985c8d34ba23feeb965bf371ae3471a238c270ed26e

memory/4740-2166-0x00000000053D0000-0x000000000541C000-memory.dmp

memory/5728-2167-0x0000000000CA0000-0x0000000000CCE000-memory.dmp

memory/5728-2168-0x0000000001320000-0x0000000001326000-memory.dmp