Malware Analysis Report

2025-04-03 14:18

Sample ID 241110-dd46lsybke
Target 255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a
SHA256 255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a

Threat Level: Known bad

The file 255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Healer

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:54

Reported

2024-11-10 02:57

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe
PID 320 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe
PID 320 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe
PID 3048 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe
PID 3048 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe
PID 3048 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe
PID 3740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe
PID 3740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe
PID 3740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe
PID 1532 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe
PID 1532 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe
PID 1532 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe
PID 408 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe
PID 408 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe
PID 408 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe
PID 408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe
PID 408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe
PID 408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe

Processes

C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe

"C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2520 -ip 2520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe

MD5 65f527c9b44bb9d628cf0556a4754082
SHA1 12e0aeb835ea294555e10c571bbb2a29deccfa84
SHA256 c9c99ceace153541dbe80c8bc7340222c48d5e13c330bb1514f83e7bc10a69db
SHA512 d81c32a4d7ca3b0fc3bf4f81cd35e6db36d7128c38299bc3c2c44864f6cb1f65e9705549d521c3b9c059bce721cfe539d127d2687cd0bbac9a707ef73874eb30

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe

MD5 5602f032b48cc9e9aec542f88b573b0c
SHA1 71746cdb3eff4792fb923aaf2cef7dbdc0974be0
SHA256 0fbbbf192b8440d84d795ea1dcb12812b27159a87a8186f1ef61f2b09eb935e3
SHA512 8ed440ce47606a16754ac47dfb0df678dca76840f5696034d44c3a87244ac32bdca3cc15abed653e621215390372c83652f449b0281a66f1167242ad1564bb29

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe

MD5 31b2f9bb25e8eb3e9be4ae30bb62a67f
SHA1 7e6798d68b563d431932d2dbbf4271b75a050d71
SHA256 eec8dfc2d81eb3165e15e1b68435edc1df8d0d1bb461c97429177679800f84dd
SHA512 a07813cc09c3620c5c15cc83b1fb6c7489f3e9928e7de01ed08ac7db02812857b0779df676fab5037a04a1e7f7a52f053c5a1c84f6acf26ddead6216d438f429

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe

MD5 d6cbbf0e7b8825ad7f1ca76523164932
SHA1 c9a058933fb5c82eb88c939aeb2511ddae5afe8a
SHA256 9e5053b873021bbadf0aefb3f7856736cf0fad1a22c384e1e309bf0794613e17
SHA512 1a78e6008ef0f5b43a377dbba082b062135347e338fe991258a3c19f41b0d3f4bcd1c34b968082c3b9923726c6ca3502c61be20a37f4a7de6217fbe06f1507a2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe

MD5 73fec908d143a40b90fdb8ca896138c6
SHA1 0a4920659e3bfcb66b212a4bbf29d2146a1317df
SHA256 300dfbbc361d5a8e864513c7e1ba16cf229194406fc09934907c0b7b1e565728
SHA512 c7691597e167bae68a30b6fb08fe8d8ea931f8df340d37e58d373afb73448dc1f481e2468115600a525a9770f9030f0fca81a4afdbba2063fc9a0d9f022756a5

memory/2520-36-0x0000000002510000-0x000000000252A000-memory.dmp

memory/2520-37-0x0000000004E20000-0x00000000053C4000-memory.dmp

memory/2520-38-0x0000000004CB0000-0x0000000004CC8000-memory.dmp

memory/2520-56-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-58-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-66-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-64-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-62-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-60-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-54-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-52-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-50-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-39-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2520-67-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/2520-69-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe

MD5 92462f6f89e9dc09eca7879f1aec04d4
SHA1 64606f1fc42c6dae23593d7c3c580de32fa1dd4c
SHA256 5d8c880d18a819d70a4c2a4133e55259834afc0265694c5231fe4745c10f5cbf
SHA512 0e0eb7b7e55e8cc7f1be302638e117c5cb3a343dab3b1413cd536eee7dd947531187d8648cd6c501693bc186598a31326298a785f22c5b6f7487f10f341561c9

memory/1696-73-0x0000000000E10000-0x0000000000E40000-memory.dmp

memory/1696-74-0x00000000030C0000-0x00000000030C6000-memory.dmp

memory/1696-75-0x0000000005E90000-0x00000000064A8000-memory.dmp

memory/1696-76-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/1696-77-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/1696-78-0x0000000005930000-0x000000000596C000-memory.dmp

memory/1696-79-0x0000000005AB0000-0x0000000005AFC000-memory.dmp