Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xzpslazhnn
Target 696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd
SHA256 696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd

Threat Level: Known bad

The file 696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Healer

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:17

Reported

2024-11-09 19:20

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe
PID 2384 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe
PID 2384 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe
PID 4860 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe
PID 4860 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe
PID 4860 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe
PID 4676 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe
PID 4676 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe
PID 4676 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe
PID 4676 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe
PID 4676 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe
PID 4860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe
PID 4860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe
PID 4860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe

"C:\Users\Admin\AppData\Local\Temp\696ae6972bf7e487efe8e460cd3a854618b403b39eb64c9ab76911abcb2fc6fd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6146.exe

MD5 a76c1e99d80ec891690fcab1a0f78dd6
SHA1 54a92b0a5e954fd298580ae6058a31d40954dce0
SHA256 0e73e8542a4b90788ff646b178b4e93e30d29bbebe367332386b658bee8a113b
SHA512 3c42cfa2c5cc73103b14aedf639f76164e041db5f95c2c507e9149ec30e90b98624ec68e00b9bb9da3dd0cc4933b3f583f27f918c1bb741e593bbb68baf9b520

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4780.exe

MD5 6dd02250831223d5348e6e437eed1f33
SHA1 b7b4ec55c3f28f7c8151a54f63a35d6e024854ae
SHA256 0a4429b98bd76db3dccb7b579176a7cc04c2afe675a04a4b7a2f35f1774606e9
SHA512 927a4feef744f2c6af6d7c9a448feb37ce3b79c0474f5f00f80a85ddf599ae80b3f187cfe5595af4a27937ba55340a29a81af3dff95f0f28e4b367958710ef9e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro0135.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/808-21-0x00007FFFA23C3000-0x00007FFFA23C5000-memory.dmp

memory/808-22-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

memory/808-23-0x00007FFFA23C3000-0x00007FFFA23C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0050.exe

MD5 c2c79f1fa2b25d2a5a03d596af6fe477
SHA1 2f6870269f1eb28246e448e09c27661b2ab8a652
SHA256 4025d8579487ce98aa787f9832d15061aaa0d337c7fa3637462420debe1b7a94
SHA512 5f97dbb4157205449512510af674e48d516096e57c8092f7bfdba5978303e7edc318202b39e56e7854f2886bb53be36a906c0081e45c52637ccd0199d2eda80e

memory/2212-29-0x0000000004900000-0x000000000491A000-memory.dmp

memory/2212-30-0x0000000007290000-0x0000000007834000-memory.dmp

memory/2212-31-0x0000000004B40000-0x0000000004B58000-memory.dmp

memory/2212-32-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-39-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-59-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-57-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-55-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-54-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-52-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-49-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-47-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-45-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-43-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-41-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-37-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-35-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-33-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/2212-60-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rNi33s05.exe

MD5 e3ddd2e1d0c4b4ac9ac630bcc7593ff6
SHA1 fc89b3f3d9c1f846c45623d3a035b90b55e45bb6
SHA256 909f86a3809e2d355699b5cb68e902411b6211f7ae3d2cfbf596a3e1bc161004
SHA512 718c990ee39e334b72b837103e00b489c9f2bb1f834d8f993ab6a1c369c3a1a65f9c64b8e1c12d23b03f4dd343456c0d123676ef65fb430e8394ee430185dec5

memory/2212-62-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1868-68-0x0000000007130000-0x0000000007174000-memory.dmp

memory/1868-67-0x00000000070B0000-0x00000000070F6000-memory.dmp

memory/1868-69-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-74-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-72-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-70-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-98-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-102-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-100-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-96-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-94-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-92-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-90-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-88-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-86-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-84-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-82-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-80-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-78-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-76-0x0000000007130000-0x000000000716E000-memory.dmp

memory/1868-975-0x00000000078A0000-0x0000000007EB8000-memory.dmp

memory/1868-976-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/1868-977-0x0000000008070000-0x0000000008082000-memory.dmp

memory/1868-978-0x0000000008090000-0x00000000080CC000-memory.dmp

memory/1868-979-0x00000000081E0000-0x000000000822C000-memory.dmp