Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-x1rnkszkew
Target 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b
SHA256 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b

Threat Level: Known bad

The file 57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:19

Reported

2024-11-09 19:22

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe
PID 2408 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe
PID 2408 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe
PID 2452 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe
PID 2452 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe
PID 2452 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe
PID 3280 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe
PID 3280 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe
PID 3280 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe
PID 3668 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe
PID 3668 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe
PID 3668 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe
PID 5104 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe
PID 5104 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe
PID 5104 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe
PID 5104 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe
PID 5104 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe
PID 5104 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe

"C:\Users\Admin\AppData\Local\Temp\57fde9366ce674fe1f1ac7579350179f7e95338b0fadfc64cad73200d2b9122b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0542600.exe

MD5 c2bbe8bd1e80a2f48059b04c7cd11bde
SHA1 64e97c9b7893d40a930443dcf743df7a5dcb7f4e
SHA256 13551439918324677f46962917b0f0dc0b71b89fc67df72dd07efcf29f4cb5d0
SHA512 96580c2b641554d207fc20babd7ad1d73e803739e1cfd38b3c8363b9fe2d3222748e6cc6df159cbdf910104a9af03a99f619fa22ad283569522e61da7c0aec2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4402829.exe

MD5 eddf4f2b1482817ff4b22823517d5678
SHA1 9febdb700493319e91a4dd894f78be7b33a38dcf
SHA256 1cb3196e4ec73885fab962b0ee3a4fb305b5bb7fc3672290daf85b732f35eeba
SHA512 b1d1eb848bce392f65035ad7f3af4a206aa8b96a960b2fe7e3f6fbdf95f8e287469d67982ad531c357ab5672f91d9e836c9d0e170e2a0d4f1ea6916c1a57b6b2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0075410.exe

MD5 29131b1510b1b60f24352ed1edd40526
SHA1 ddd34b1b990f6647e22d5e16db081616aee8ce39
SHA256 bac40793b843f87dd8f4c27dbfa2e3f36bc35867b330ae802ae1cf7c8965716a
SHA512 f78b117984cbb48ac2c2d2c9b2e5b1ca90f87b7968366f1e20a96da939b03a386e06544b21dbc8a2ba32ac898e1285c2d335a69aa8be8698f639bffe2ec807ff

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317171.exe

MD5 629e40181ab18436bdc0095fbdcce0f1
SHA1 cea24929d12f7c81cbe99f18dab5730a754b8b31
SHA256 34a34c89818be9d879d4cfa9f0d106626140cc34055872a76d0d684c40dcc750
SHA512 1828bf8f2305ae0fd7ee9092643ee3a5dca0a0148c729e1ad71dc117b2fb7b4abcddd3f1de96fa9c87c6b925a3e44ee698641c2654451682b77080c5aab051e2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1127248.exe

MD5 11c6770626e17a30d4078e870bfd8cf6
SHA1 279419e5f9ee1d8d1ca29d4f0e10212dcc61943c
SHA256 9821b56849736195bdea8ee32b4794373fbc98a8669b628ce428f54444d1a432
SHA512 bf4630950b146da923d7d73804fc85b60a11b9ad935ed70476d5ceb624f60a80c3a59d8b0c12b4e18c8581a598d92caf2048ceebaccb19d680e473624dc5931c

memory/2788-36-0x00000000025B0000-0x00000000025CA000-memory.dmp

memory/2788-37-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/2788-38-0x0000000002740000-0x0000000002758000-memory.dmp

memory/2788-39-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-66-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-64-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-62-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-60-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-58-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-56-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-55-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-52-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-50-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-48-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-46-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-44-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-42-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-40-0x0000000002740000-0x0000000002752000-memory.dmp

memory/2788-67-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8570157.exe

MD5 64bc6d593b05287b0a7674bcb311024e
SHA1 bc81dd0d632087e20a2bf5e161265590eae494bc
SHA256 751dfc69bf3afc492291aee956716913be2aa6178c51e7d876793bafb16cc028
SHA512 ddd691024c3798b6ea3d2e8a46bb58ce07697db3a3de085ced9bd5f1fcb2a4132f613b2ee9dbd2e354c6941aaf857245ee0a1bddded1bcd929efba21a4b53134

memory/2788-69-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/1540-73-0x0000000000050000-0x0000000000080000-memory.dmp

memory/1540-74-0x0000000000740000-0x0000000000746000-memory.dmp

memory/1540-75-0x0000000004FC0000-0x00000000055D8000-memory.dmp

memory/1540-76-0x0000000004AB0000-0x0000000004BBA000-memory.dmp

memory/1540-77-0x00000000049D0000-0x00000000049E2000-memory.dmp

memory/1540-78-0x0000000004A30000-0x0000000004A6C000-memory.dmp

memory/1540-79-0x0000000004BC0000-0x0000000004C0C000-memory.dmp