Malware Analysis Report

2025-05-06 00:52

Sample ID 241109-zbhqgs1hnh
Target 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720
SHA256 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720
Tags
healer redline maxbi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720

Threat Level: Known bad

The file 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720 was found to be: Known bad.

Malicious Activity Summary

healer redline maxbi discovery dropper evasion infostealer persistence trojan

RedLine

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:32

Reported

2024-11-09 20:35

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe
PID 2228 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe
PID 2228 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe
PID 4604 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe
PID 4604 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe
PID 4604 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe
PID 232 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe
PID 232 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe
PID 232 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe
PID 1148 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe
PID 1148 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe
PID 1148 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe
PID 3992 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe
PID 3992 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe
PID 3992 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe
PID 3992 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe
PID 3992 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe
PID 3992 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe

"C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4004 -ip 4004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe

MD5 bade830b6be2c8423bc07b40b036c355
SHA1 898abf99c2e2c5ed9d0a7b49962b98def318a70a
SHA256 0c3d3498a73cdcce125aa65747d59dd36b1e18ce7460c8794b604158093ff765
SHA512 4e14ce24d12c853548c9e9cfef5210bbebf2046bdf349efd7099b6ea377899421ae5b93a1359d25c493386825bca7db1622b6b68ad37e9522972103412939d81

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe

MD5 25fa32563594dedbc5792bf00a544255
SHA1 d2f5e561db31492fd12b126d92a4a45981ff9115
SHA256 00d30f23d69ef8963e109179db2d10817be8de06b085dfe5bd9e6daf43fcec0e
SHA512 6a47dc333692d3cefbf278378323606ef11c6df9230ce299ab5583fde499fcd7065048b8053a3ae44c1d2beaad6a9ea47916e0e98fa06272129c1cb19b5cf034

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe

MD5 85d64e14a876cd43c5c831adb66bc141
SHA1 eef22caa3d04a00e243ae578478d7d7c88a11311
SHA256 0119f0d319602e9368bf259bed1488797d1821e0da48c2a1e7c249009eba9333
SHA512 aa9da40d95d503b123e61c88d5f37a3c59edf9aefbf0075c135a8a5dfbf0ff62f92ba6b185ca9519078259624c1f5fcc40c941622c4c3e4fd31574a9ee6c0b26

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe

MD5 8d387cb163bbbace0c0a9911dafba0ea
SHA1 fe258560ba5b18642dc8838f1e3090d7e0c352e6
SHA256 ef287055b6b496fa1d19ea8d7f31d534997a38164c20c98decc545f1b212ff50
SHA512 bdcd36913bab668494a7752fed8858bc8d5a399881433f352876c4818966443d6a96cb16045cf101320d5da9fd5bbe258491868426c83ceb841ebcbb46fc5043

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe

MD5 ef4e78dd23e95f16b8dfe38b143836e9
SHA1 7ec4af068b1a51897ac4ad915b0bfb215dcb0d31
SHA256 f406665f4e992d11a5757514f5fe3385b4506a4b65a0722ad1886f0b2151e136
SHA512 0ceb37c96e4606a577eafe0ff8845fd79c8417400fbe34f2daf76af3dc5911f02990ad40347f39a234406ee7598edec6d4f9479b0b08cc20b2b929121cf370c2

memory/4004-36-0x00000000028C0000-0x00000000028DA000-memory.dmp

memory/4004-37-0x0000000005060000-0x0000000005604000-memory.dmp

memory/4004-38-0x0000000002CC0000-0x0000000002CD8000-memory.dmp

memory/4004-39-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-50-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-66-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-64-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-62-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-60-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-58-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-56-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-54-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-53-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-48-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-46-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-44-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-42-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-40-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

memory/4004-67-0x0000000000400000-0x0000000000A67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe

MD5 4cecbe1e5ab3368eed7cae4a47304a95
SHA1 396b5387462a850518ba10876cfa16d44ea18229
SHA256 cea16d6e72293940245c6c7ea7582eb2f974cbc18498a46e1f31738a3a22d6f7
SHA512 104f1301f076d6b83ce70722130f436267dd02895635de6851ba470da15cf058522d98c344d77d45feaaa2fe63a05d1a64985748bd349f4c7130d313bc3d532e

memory/4004-69-0x0000000000400000-0x0000000000A67000-memory.dmp

memory/4988-73-0x0000000000570000-0x00000000005A0000-memory.dmp

memory/4988-74-0x00000000071E0000-0x00000000071E6000-memory.dmp

memory/4988-75-0x000000000A9A0000-0x000000000AFB8000-memory.dmp

memory/4988-76-0x000000000A520000-0x000000000A62A000-memory.dmp

memory/4988-77-0x000000000A450000-0x000000000A462000-memory.dmp

memory/4988-78-0x000000000A4B0000-0x000000000A4EC000-memory.dmp

memory/4988-79-0x00000000025F0000-0x000000000263C000-memory.dmp