Malware Analysis Report

2025-08-05 10:41

Sample ID 241109-gy87vaylgs
Target 5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3
SHA256 5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3

Threat Level: Known bad

The file 5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3 was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Healer

Healer family

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:13

Reported

2024-11-09 06:16

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe
PID 2008 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe
PID 2008 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe
PID 4988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe
PID 4988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe
PID 4988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe
PID 4988 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe
PID 4988 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe
PID 4988 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe
PID 744 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe C:\Windows\Temp\1.exe
PID 744 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe C:\Windows\Temp\1.exe
PID 744 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe C:\Windows\Temp\1.exe
PID 2008 wrote to memory of 5380 N/A C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe
PID 2008 wrote to memory of 5380 N/A C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe
PID 2008 wrote to memory of 5380 N/A C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe

"C:\Users\Admin\AppData\Local\Temp\5ca0cd511e408a071972d134c15e650d7c96e3574ac05b282493efa40b6a95e3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3068 -ip 3068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 744 -ip 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un014368.exe

MD5 dcb3ff36592e8ca3be9ebb7c17375a19
SHA1 e83619d387e78316c3b40972a02916fbd6ff6631
SHA256 3ceae599118641e6e967a8f90bec1f9067321ffd431193e5bf9e195dbb426578
SHA512 60b393fb06280a70e61b2739a853d53bfe3cd69ae6d47b5bcb94511855ac5f0a9215420db58775e06d0cbbf534d7e9750545f5fc7ed2d937514059fe943a90a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0545.exe

MD5 e3171514dec989f0dcd261a9c9d63faf
SHA1 848373beb17df6ddc6ab9ce65800038e96dd4a84
SHA256 1d7cdd0ac0274e6c558446602ff6170b8a60793c774c53168d163cb7b1496a39
SHA512 59b0700acb8a8b8b2cd7be46daa2986b1a0d031ec8738757e5ccee41b1e1a98f718848e8a257fae83ba46538bf7d55d62e5184eb6e182edc35abd5616f4c27a6

memory/3068-16-0x0000000000590000-0x00000000005BD000-memory.dmp

memory/3068-15-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/3068-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3068-18-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/3068-19-0x0000000002360000-0x000000000237A000-memory.dmp

memory/3068-20-0x0000000004BB0000-0x0000000005154000-memory.dmp

memory/3068-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

memory/3068-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-38-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/3068-50-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/3068-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3068-54-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/3068-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9839.exe

MD5 c6301333ecc83e4213ea075d85498418
SHA1 205fc1a1eb505bcc47f6dc6f01dde47d8978ac8b
SHA256 d7cadee8d3a219e974bf24300d35058846c69f70bca2e0bfe1b4a12e22c70762
SHA512 eb4b278a1fa33b15a06eda1e24293ed62c4fb28bdca58190953d90f958cbabedce1f814fa08a7bba1409ac722ac3db6a1e76b4b16c802d7e373c87961f7c5351

memory/744-60-0x0000000004BE0000-0x0000000004C46000-memory.dmp

memory/744-61-0x0000000005200000-0x0000000005266000-memory.dmp

memory/744-75-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-79-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-95-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-91-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-89-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-87-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-85-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-83-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-81-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-77-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-73-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-71-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-69-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-67-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-65-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-63-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-93-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-62-0x0000000005200000-0x000000000525F000-memory.dmp

memory/744-2142-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/2300-2155-0x0000000000D80000-0x0000000000DB0000-memory.dmp

memory/2300-2156-0x0000000003090000-0x0000000003096000-memory.dmp

memory/2300-2157-0x0000000005CA0000-0x00000000062B8000-memory.dmp

memory/2300-2158-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/2300-2159-0x0000000005700000-0x0000000005712000-memory.dmp

memory/2300-2160-0x0000000005760000-0x000000000579C000-memory.dmp

memory/2300-2162-0x00000000058E0000-0x000000000592C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si872192.exe

MD5 1779849e50c857605f4f3c7da771f563
SHA1 f2200d647f0b451366dcaceba994a9592e9cdbd9
SHA256 bf9b2f74e3eb0c5772901b0d11ae520a355cdd56f9d675bf00f408ed436bfc16
SHA512 01ec0d9945be7a7e6b048329dcb863df9bcbb33143cc12c372b9fd9f18eab3675114b77b1352e5a663189689330c5e2fc6138255374ad4793f32000a3682e43f

memory/5380-2166-0x0000000000B30000-0x0000000000B5E000-memory.dmp

memory/5380-2167-0x0000000005350000-0x0000000005356000-memory.dmp