Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ejy28axcjb
Target 2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4
SHA256 2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4

Threat Level: Known bad

The file 2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4 was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:58

Reported

2024-11-09 04:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe
PID 2016 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe
PID 2016 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe
PID 3600 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe
PID 3600 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe
PID 3600 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe
PID 4892 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe
PID 4892 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe
PID 4892 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe
PID 4892 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe
PID 4892 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe
PID 3600 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe
PID 3600 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe
PID 3600 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe

"C:\Users\Admin\AppData\Local\Temp\2322597b0e7c1ecfe76aec241bfce33b11b123bb3d4cdde5d465fe87ed317ff4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba1919.exe

MD5 7751ef192d9600282db3e275dbc45842
SHA1 a6de7e54e6b61f472d1e5e8391ae317cdd35fc6c
SHA256 53f6c704a755a81189663a4c909b3dde2a4d31222bac7159c7ede2cc218c6522
SHA512 3ec14f9d02cee5f36a6e3af9dd822d2e22a303d9db7b8857a0581b68b97f009c8ebb0c56c5223ad6612bfb800692735b63dcf786cb355f914a0039845b12af33

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7593.exe

MD5 2a8ce946a3c75f3e089a8a5dc6e37b43
SHA1 3c54e8f1c0dc06c1acd2bc931d644f00cfe9e69e
SHA256 c1e086413d884a65827c4735420e9b364b38ab585b3ad16c8ffb56da755f59d9
SHA512 eeddaa78163944d714dd09bcd2cf1ac53f4876f9c02aa9a4bd85c7e90ca28fd3ef76d3b5fd930f559bcf6ea6ab1be4b6e611356a6626cc9e3da4c8f9e05cc179

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2385sF.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2004-21-0x00007FFCD9183000-0x00007FFCD9185000-memory.dmp

memory/2004-22-0x0000000000290000-0x000000000029A000-memory.dmp

memory/2004-23-0x00007FFCD9183000-0x00007FFCD9185000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13au18.exe

MD5 19725d2abc47c57e8194e21fdf80befa
SHA1 01d8f9f76739b21a51f20f5c755e4513398a52d1
SHA256 5f1112124f6a0c6c61243fd1cf83bcb13c72a0bbf0a34578c7a19240412decef
SHA512 f79d819040400cc0485eae90e9d5781bf38b5d2abbce9e3315af47b05c69d472a07df52aec809c6fe7740e54003ed860fd95425fe734a9b386febd3b9c53941f

memory/4888-29-0x0000000002390000-0x00000000023AA000-memory.dmp

memory/4888-30-0x0000000004AB0000-0x0000000005054000-memory.dmp

memory/4888-31-0x0000000002470000-0x0000000002488000-memory.dmp

memory/4888-35-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-33-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-32-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-37-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-45-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-59-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-57-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-56-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-53-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-52-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-49-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-47-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-43-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-41-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-39-0x0000000002470000-0x0000000002482000-memory.dmp

memory/4888-60-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4888-62-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ikSTQ56.exe

MD5 28a0bbb96f53e42ee1c96f0497707c5f
SHA1 4ea4a0b98f8a1ac99fabfee06dc9f9fdcf4ece07
SHA256 0f369a918695dad2209c9ea1493b3935a6fa1c546076267f2e93b9f2cb628489
SHA512 214b1158a07aa2d3f5aefd52f845a6ea70c5a739bdadfdcf7ce2c745c44507f8b21a7c0651e6a10482915d7b5fa46a3eeabf323ab06c569a7a7eaf6be1bf8f18

memory/3632-67-0x0000000004920000-0x0000000004966000-memory.dmp

memory/3632-68-0x00000000050A0000-0x00000000050E4000-memory.dmp

memory/3632-74-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-82-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-100-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-98-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-96-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-94-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-92-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-90-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-88-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-86-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-80-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-78-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-76-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-102-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-85-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-72-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-70-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-69-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/3632-975-0x0000000005240000-0x0000000005858000-memory.dmp

memory/3632-976-0x00000000058E0000-0x00000000059EA000-memory.dmp

memory/3632-977-0x0000000005A20000-0x0000000005A32000-memory.dmp

memory/3632-978-0x0000000005A40000-0x0000000005A7C000-memory.dmp

memory/3632-979-0x0000000005B90000-0x0000000005BDC000-memory.dmp