Malware Analysis Report

2025-08-11 06:40

Sample ID 241109-edxxzawmez
Target 68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40
SHA256 68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40
Tags
healer redline mihan discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40

Threat Level: Known bad

The file 68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40 was found to be: Known bad.

Malicious Activity Summary

healer redline mihan discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Redline family

RedLine payload

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:50

Reported

2024-11-09 03:52

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe
PID 2816 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe
PID 2816 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe
PID 864 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe
PID 864 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe
PID 864 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe
PID 864 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe
PID 864 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe
PID 864 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe

"C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe

MD5 4616799384611d870660ae307618af3d
SHA1 70933f3a3dc729ceed950732395ad442c5889872
SHA256 a13f44521298d74845c100c608f8c758f78ecb3e24c894dd6b3dbcf47863738a
SHA512 250d03ec005945aa8abc163ef4991242347d671e85b09e0ee9f028a97d7a478cf5e1a10328a68ba2381c1de35f1955c0ebc5c59f21c079ba46647a3b421e5416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe

MD5 5501c8236751d6dbb79015eec53014f1
SHA1 b78369d090480ec0c5b740ff2f3d2cef28fede79
SHA256 3576618dd4cec5f29550ccc72fe1b389f66ba2049a174d24dd3a9ea6611180c0
SHA512 c47906c9b043eccb45726766637ed6beb4239d715afad372653a23ed474cb3acd3fba8190853433c613afeefcbd10b15046ead00c498d9a99012fc50b15ceb61

memory/2072-14-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/2072-15-0x00000000023B0000-0x00000000023CA000-memory.dmp

memory/2072-16-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/2072-17-0x0000000004940000-0x0000000004EE4000-memory.dmp

memory/2072-18-0x0000000004F40000-0x0000000004F58000-memory.dmp

memory/2072-46-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-47-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/2072-44-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-42-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-40-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-38-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-36-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-34-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-32-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-30-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-28-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-26-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-24-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-22-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-20-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-19-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/2072-48-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/2072-49-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/2072-51-0x00000000743E0000-0x0000000074B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe

MD5 293f4c85befccf4b39645633d059ec65
SHA1 976b3196078f22e6ab104d1bccd5017d5e7858b3
SHA256 8b3ae63c4a67ac3d2f1c15a065579afa6db5740528aa16d21880f5b2479194af
SHA512 e18c5159da188e8fa1e6a6269cf9841e8d9185d339ec3f0dcbf3e764edeadb2e4945c30640aa054aeb38a81785681b7438f6438404862f737adf5822004c2dd9

memory/3772-56-0x0000000001100000-0x0000000001106000-memory.dmp

memory/3772-55-0x00000000009F0000-0x0000000000A20000-memory.dmp

memory/3772-57-0x00000000059E0000-0x0000000005FF8000-memory.dmp

memory/3772-58-0x00000000054D0000-0x00000000055DA000-memory.dmp

memory/3772-59-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3772-60-0x0000000005400000-0x000000000543C000-memory.dmp

memory/3772-61-0x0000000005440000-0x000000000548C000-memory.dmp