Malware Analysis Report

2025-08-10 13:17

Sample ID 241109-ef13eaxbma
Target c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b
SHA256 c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b

Threat Level: Known bad

The file c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Redline family

RedLine

RedLine payload

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:53

Reported

2024-11-09 03:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe
PID 1020 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe
PID 1020 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe
PID 3136 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe
PID 3136 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe
PID 3136 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe
PID 1708 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe
PID 1708 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe
PID 1708 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe
PID 4708 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe
PID 4708 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe
PID 4708 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe
PID 2944 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe
PID 2944 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe
PID 2944 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe
PID 2944 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe
PID 2944 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe
PID 2944 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe

"C:\Users\Admin\AppData\Local\Temp\c1916b134a54ab42d21b046192ed9d367444bb84506281bd561bc161159ff49b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3663892.exe

MD5 7d5c6eeb67777c246fb4b86e1a403336
SHA1 f998a4706f127dd2ab2caf1d90cd35e0c88ea108
SHA256 3f833e1f58b77d4c6f85309706469514c6e398d12783dd0f89bc172c75b2b4d1
SHA512 9d03e49de6f14aea44321467b0a5b9ace42a59ef011eb0807240bf797af1678fc21e2821a7e22bec4498dfecb6ddbb7ad508f1aa984d6c60c67da3eb8ccf86fe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7239244.exe

MD5 dc11587d04dcdebaa64ebe50f3aba6b4
SHA1 8ba53d2e8f23fe067aca320e7d639791a79a286c
SHA256 9bd2d6992dac5fb3184332efea0a309a79df29163e426a37d635101530094184
SHA512 735d676ba6fc996677714de881e5f0df0ce118bde2584df329fbb32b0c81d26cbaa52d2ef8d131dc25dea3ef6e71f5c730c50ce119a897dcaa9a37569a7bd302

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9677373.exe

MD5 cecdc554ff195e2383acf4df8da404cc
SHA1 31a897b61c8fea673da1b8cb3c3f5ed3b5378fcc
SHA256 e51ffee075d544dc28f798f968f8f415b5c881d2a792d5529c863f3e73886744
SHA512 308529c6f7b0c2ecf8eda2d4e208a7679f5f3cb02c951327e1ce9f3b0f660430fc26724625887e0af5d86fa48b4eb1a9079ba29f31a58fc5aa3552ebc0e6475e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5653127.exe

MD5 df795b4430191b628541437ecb92e144
SHA1 c5b978054b646ceaef170530b7a915fc85470aa2
SHA256 ec9143a1499660c53b1456a5971928e21798faedb760aa184dc14b357630eb5c
SHA512 31dfad3ff935829e12b962e766d322175f99aa4a7addcd17418087fb10cc7faa6fe0a54ae78c5a66cf966ab299bcf1f5ecda0b9e4f6c602d2908411b721c8e39

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9015258.exe

MD5 22f1b3c9ae47dd2d1b1f758000e20063
SHA1 49b249376f77ef2f9b426f7b20dc69c5f0755505
SHA256 d8ae2f70a80affba24c38f225775055d0e19cb0b998595c56cf77baee3af8ce5
SHA512 4be279f5a3db5d4aa3c44492bb798d17b469d89a9f920dddd87853c4f64a4520af59c8ee9046e9f98a07c7583be2de1d4134263f1fbea4db4ca4b7e793ea690e

memory/4396-36-0x00000000024E0000-0x00000000024FA000-memory.dmp

memory/4396-37-0x0000000004D80000-0x0000000005324000-memory.dmp

memory/4396-38-0x0000000002790000-0x00000000027A8000-memory.dmp

memory/4396-42-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-48-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-64-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-62-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-60-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-59-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-56-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-54-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-52-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-50-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-46-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-44-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-66-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-39-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-40-0x0000000002790000-0x00000000027A2000-memory.dmp

memory/4396-67-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/4396-69-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967198.exe

MD5 8a300f51018b0b635df40751a4f37293
SHA1 d55621636ec7778f1669b2c0afd14497385361aa
SHA256 e4365d94646b676bbbcb23bce7f68a255d7ef1d5c81afee6795b51c1ffcc2ab2
SHA512 31eaba93dcfd370e8ddb4a71fd2b2cf09e0d2bbd2c354b68797dccf04fef36a9ec3c1308c25ee1034e59a69393d7b996af9c43690ba9face3dd14f2db8586617

memory/4796-73-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/4796-74-0x00000000014F0000-0x00000000014F6000-memory.dmp

memory/4796-75-0x000000000AF10000-0x000000000B528000-memory.dmp

memory/4796-76-0x000000000AA90000-0x000000000AB9A000-memory.dmp

memory/4796-77-0x000000000A9C0000-0x000000000A9D2000-memory.dmp

memory/4796-78-0x000000000AA20000-0x000000000AA5C000-memory.dmp

memory/4796-79-0x0000000004E30000-0x0000000004E7C000-memory.dmp