Malware Analysis Report

2025-08-05 10:15

Sample ID 241109-fy6ahsycnc
Target f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f
SHA256 f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f
Tags
healer redline lulsa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f

Threat Level: Known bad

The file f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f was found to be: Known bad.

Malicious Activity Summary

healer redline lulsa discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:17

Reported

2024-11-09 05:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe
PID 1032 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe
PID 1032 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe
PID 972 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe
PID 972 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe
PID 972 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe
PID 972 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe
PID 972 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe
PID 972 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe

"C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe

MD5 06763e4230c4281042b047ccfcbaf0a8
SHA1 c6394855ccd190244610b03aaa680df90783a862
SHA256 ea95f894a0d53f68f825d0a2e744db88d9d818e3f49e5633884f3842313e3cc9
SHA512 b47240aa84b5fe0096028b8e0500951d3ca4bc84d23923486bcb39808285f90e3efdf81a278ffc55d53e1bf2926d506a979f1c4e37d14313401cb5802fe8758e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe

MD5 440382d1d97b4e83336a47b520050cd6
SHA1 18965aa83d01228806df83b9b2b3e16193e2d6f8
SHA256 21b2925cfc627a4d78b2a9a7798b35d4a4694741d25a46ad9cd643d02f00a63c
SHA512 37b9871cfa2fa0c84888bcdc2ec7487510a881ded96fb5f4f4d54e90593cd96462cf8428494f8581e0e49eadf6cc7f7b68aad5dc756338bfe560579a8d16017a

memory/4100-14-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/4100-15-0x0000000002120000-0x000000000213A000-memory.dmp

memory/4100-16-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4100-17-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4100-18-0x0000000004A20000-0x0000000004FC4000-memory.dmp

memory/4100-19-0x0000000004970000-0x0000000004988000-memory.dmp

memory/4100-47-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-45-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-43-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-41-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-39-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-37-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-35-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-33-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-31-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-29-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-27-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-25-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-23-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-21-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-20-0x0000000004970000-0x0000000004982000-memory.dmp

memory/4100-48-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/4100-49-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4100-51-0x0000000074A60000-0x0000000075210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe

MD5 d9a15ce2c578fc659f30592b83f9d413
SHA1 949bdf817c229976266b691c6782d8af7cd5f4e0
SHA256 1c2accd44808e80a86aba6f6aead3ab3e632bc17e36758a8f3fb5588efc7359a
SHA512 032b1c09d234b1e2d314354fc1052cefd9f87580976404d8c970ac9515a828024fabe223eda20a3fdb9949153dabf0f2f22c9f3eb3b827ede6e485c100c1ac37

memory/4852-55-0x00000000009C0000-0x00000000009F0000-memory.dmp

memory/4852-56-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

memory/4852-57-0x000000000ADE0000-0x000000000B3F8000-memory.dmp

memory/4852-58-0x000000000A960000-0x000000000AA6A000-memory.dmp

memory/4852-59-0x000000000A890000-0x000000000A8A2000-memory.dmp

memory/4852-60-0x000000000A8F0000-0x000000000A92C000-memory.dmp

memory/4852-61-0x0000000004CE0000-0x0000000004D2C000-memory.dmp