Malware Analysis Report

2025-06-15 23:32

Sample ID 241109-xv7gvazjfz
Target 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883
SHA256 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883
Tags
healer redline divan discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883

Threat Level: Known bad

The file 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883 was found to be: Known bad.

Malicious Activity Summary

healer redline divan discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe
PID 2788 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe
PID 2788 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe
PID 1148 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe
PID 1148 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe
PID 1148 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe
PID 1148 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe
PID 1148 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe
PID 1148 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe

"C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 74.208.201.84.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
CY 217.196.96.102:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe

MD5 6d15e00817aa20f7bf8f3541e8433ef8
SHA1 094621e968a28200b92530e529ed0465538a8898
SHA256 e45f45d2f0de02960286060a317b613de93644b28a39b6dce8542bc305db91db
SHA512 57c36eb8278f980b3e34a11d5379cf005bae1bae35039a3ec2bb6c0977ba5358868fd9766073e2a30ee05661d88fad0285682192123a030e2079c3209447f4a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe

MD5 19a88f76160979bf1b4e0142c16e252f
SHA1 c48d549ef2248795e2921790e209ff4d53354c5b
SHA256 6ffc768ddae33b68433997d71f8e32804942e3a2d4f19bebe3553b0c9ce08b00
SHA512 36fd1564b93f0dc73809ac5e4963766986932394fed9e0c33d8216132c8947ea560042ac21ff452298e5147b0b2513f1cbac6e7db1fe243d07f1e131c027a757

memory/652-14-0x000000007494E000-0x000000007494F000-memory.dmp

memory/652-15-0x00000000049F0000-0x0000000004A0A000-memory.dmp

memory/652-16-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/652-17-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/652-18-0x0000000005080000-0x0000000005098000-memory.dmp

memory/652-34-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-46-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-45-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-42-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-40-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-38-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-36-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-24-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-22-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-47-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/652-48-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/652-20-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-19-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-32-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-30-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-28-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-26-0x0000000005080000-0x0000000005092000-memory.dmp

memory/652-49-0x000000007494E000-0x000000007494F000-memory.dmp

memory/652-50-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/652-52-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe

MD5 552d1669d62cbb55067b5cd95e6f8180
SHA1 10459cfb70045704f86f107e4e90a160a4276733
SHA256 ea495e75d19e92b6402f6555707710badc2ca3e4d8dfb73ef15b8d12cd23db4b
SHA512 492bac6745f3341e00f10cb63edd1bec548c12739de3988ef08fffd78ac3c9b71a0f4d7c339d926dc13e35b191b6f16eb7684b30a02b1d9c7605b2b037790e6d

memory/1512-56-0x0000000000090000-0x00000000000BE000-memory.dmp

memory/1512-57-0x0000000000910000-0x0000000000916000-memory.dmp

memory/1512-58-0x0000000005030000-0x0000000005648000-memory.dmp

memory/1512-59-0x0000000004B20000-0x0000000004C2A000-memory.dmp

memory/1512-60-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/1512-61-0x0000000004A70000-0x0000000004AAC000-memory.dmp

memory/1512-62-0x0000000004AC0000-0x0000000004B0C000-memory.dmp