Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xx7kmazhkl
Target 2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5
SHA256 2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5

Threat Level: Known bad

The file 2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:15

Reported

2024-11-09 19:17

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe
PID 2844 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe
PID 2844 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe
PID 4900 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe
PID 4900 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe
PID 4900 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe
PID 3916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe
PID 3916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe
PID 3916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe
PID 3916 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe
PID 3916 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe
PID 3916 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe

"C:\Users\Admin\AppData\Local\Temp\2201b327d5d997dc24f8fd89b33ce0d2edee4e786f5d4d8c9ed1ce969fa48fd5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un809319.exe

MD5 faa640064ff300488234ad6ae6d1c87e
SHA1 deb68b35e8fa7012759fa88ca9cfaeb316053fb2
SHA256 b752e39b56ec2e35d8c98cb046adcde8f2b0a49fa2c6d655aa13a95faba9d90e
SHA512 309c7e2e32fec3f8dcd3aa3ba625da4b557230a6410f71a928a86b6811ab49b0e8b931e5e5c6409acca0bcd4b5d37261ffb88e6f761bb84533fe02ae4865c055

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un166304.exe

MD5 d6b320171c04cd1237f4d1a814273149
SHA1 513f45f52e8a16ba57286d112933400771bfb764
SHA256 23f5a843afcb501b4f8311efde8584046b14ab447f588f516131fb1778e389e7
SHA512 e1386bf1a05e78d246d525e67cc3a40b63d16ccce0052e30d7ddc53056683385a25c01b65b15a9e762108ebb2555a5937e833ae145d4bfcfb92e566a11bee259

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr807603.exe

MD5 54ff9071d51523feb52b001939429e80
SHA1 a1dcebc980fd416f30aaa4add110c1c0457c351a
SHA256 677c67bee6604ad04d4c0609dafac523d754ce7cb6359a78c3fb6aa660baa204
SHA512 1a921bbe67e9cb8f3be00715c15c7565abee9f598ac2558cdb48304749ef7bdb75971193d9a522e341e5d14df085f09310592d5e9eae404bc1e18d04fe11753c

memory/2744-22-0x0000000004A20000-0x0000000004A3A000-memory.dmp

memory/2744-23-0x0000000007430000-0x00000000079D4000-memory.dmp

memory/2744-24-0x0000000004CD0000-0x0000000004CE8000-memory.dmp

memory/2744-52-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-50-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-48-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-46-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-45-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-42-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-41-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-38-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-36-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-34-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-32-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-30-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-28-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-26-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-25-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

memory/2744-53-0x0000000000400000-0x0000000002B9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu025676.exe

MD5 28fb4b8402cd7f26410fb2329c3af508
SHA1 fcdb0b203d5c2167c6ba0be51ff4ef150cd0c14e
SHA256 cfebbdf96642b674be1bc0d25a21d72743041ef89ee456a984be4bd706869646
SHA512 32dcf10f70dd1a5c90f528e96c02a09f79434880d09ddac38c78eef71a73048d0ce9aec687528f1be21f5ef9b7702396b3591c11c599e8a6249c72dc9e55410f

memory/2744-55-0x0000000000400000-0x0000000002B9F000-memory.dmp

memory/2328-60-0x0000000004D60000-0x0000000004D9C000-memory.dmp

memory/2328-61-0x0000000007800000-0x000000000783A000-memory.dmp

memory/2328-75-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-81-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-95-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-93-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-92-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-89-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-87-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-85-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-83-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-79-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-77-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-73-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-855-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/2328-856-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/2328-854-0x0000000009D00000-0x000000000A318000-memory.dmp

memory/2328-71-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-69-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-67-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-65-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-63-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-62-0x0000000007800000-0x0000000007835000-memory.dmp

memory/2328-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/2328-858-0x0000000004B10000-0x0000000004B5C000-memory.dmp