Malware Analysis Report

2025-08-05 10:41

Sample ID 241109-gyzneazamq
Target 681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a
SHA256 681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a

Threat Level: Known bad

The file 681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Healer

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:13

Reported

2024-11-09 06:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe
PID 2844 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe
PID 2844 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe
PID 2376 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe
PID 2376 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe
PID 2376 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe
PID 2376 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe
PID 2376 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe
PID 2376 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe
PID 2716 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe C:\Windows\Temp\1.exe
PID 2716 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe C:\Windows\Temp\1.exe
PID 2716 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe C:\Windows\Temp\1.exe
PID 2844 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe
PID 2844 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe
PID 2844 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe

Processes

C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe

"C:\Users\Admin\AppData\Local\Temp\681bdddbc813707f27535eeb58c3bbed7c25ebcb4dc3466064d4d8f155239a8a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387081.exe

MD5 a83390771661b778c5264ddff063612f
SHA1 e44033bc16beab8c7ea85bf74b3d1b13de2c19ef
SHA256 76ed9156c8834ceb8021ae2e13deb5fc837c51ce033c9d8e79770715e5bbc592
SHA512 712ca828ec3f3ed2e6a91c2470f61cd1747da7d2e8aa82525473fb5b06e98f87634d76d77295b3a1ad4bf73cb6de793de1a9aff1891a134bb0bac6550b0658b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2250.exe

MD5 1f353e917212ab5817881bb30467d069
SHA1 02bb0a1a712d7e4a51153e9de30a5213ba29c479
SHA256 164bfbc72b0d102c62c7968bd3dae8e76c09175b42165a2a2d8edcde5b2b03d1
SHA512 d6be32a19dab45b25b64e6d0a151e19d3eeea59bbf23b2d6a7cf82495cad286681672603e5a882f10ba19f287b6dd20f8f3025e19b212d9297490f2219be3eb3

memory/1908-15-0x0000000000870000-0x0000000000970000-memory.dmp

memory/1908-16-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/1908-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1908-18-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1908-19-0x0000000002080000-0x000000000209A000-memory.dmp

memory/1908-20-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/1908-21-0x00000000024A0000-0x00000000024B8000-memory.dmp

memory/1908-27-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-49-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-47-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-45-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-43-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-41-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-39-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-37-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-35-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-33-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-31-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-29-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-25-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-23-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-22-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1908-50-0x0000000000870000-0x0000000000970000-memory.dmp

memory/1908-51-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/1908-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1908-55-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1908-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6228.exe

MD5 16f6534102f9362240780ba38edf0506
SHA1 478165acf371d34e2e8fd29bbac99678eb40bdd7
SHA256 7db3ecfabc6a6ddb45ea6af69fdcfb19ac3552a5fd30295e7e08e600ce581519
SHA512 48720278dfa1f8f6e94517f41f649ae00989eecc7ded60a8c84e04e1cd621d6ae5de605fb8b32fbc889ceeb149062bc1b9716ab1bc96fa56f7e5a934eb674cd1

memory/2716-61-0x0000000004AB0000-0x0000000004B16000-memory.dmp

memory/2716-62-0x0000000005220000-0x0000000005286000-memory.dmp

memory/2716-74-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-78-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-96-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-94-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-92-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-90-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-88-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-84-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-82-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-80-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-76-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-72-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-70-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-68-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-66-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-86-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-64-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-63-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2716-2143-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/1220-2156-0x0000000000530000-0x0000000000560000-memory.dmp

memory/1220-2157-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

memory/1220-2158-0x000000000A870000-0x000000000AE88000-memory.dmp

memory/1220-2159-0x000000000A3A0000-0x000000000A4AA000-memory.dmp

memory/1220-2160-0x000000000A2D0000-0x000000000A2E2000-memory.dmp

memory/1220-2161-0x000000000A330000-0x000000000A36C000-memory.dmp

memory/1220-2162-0x0000000002590000-0x00000000025DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911341.exe

MD5 d0e4a53a3b8ebf080b1ec8f4296b61ac
SHA1 26bd78f013cdd1ad4b890e3b4247606152cc84c3
SHA256 f21c5547e251fd012a2d5879d61253a84c33d74bac3d2ccfb2c48920f72d4532
SHA512 9f6e0d44a26df770bc7bee39dfbb59b7bb567b90a41ee742abf69ee5fd6918245bed9a053f5c8e2adfe4dee706a683c2321901a044519fa626ae5aac9dcf6902

memory/5860-2167-0x0000000000830000-0x000000000085E000-memory.dmp

memory/5860-2168-0x00000000029A0000-0x00000000029A6000-memory.dmp