Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-dezyaaxhrl
Target df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba
SHA256 df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba
Tags
healer redline down discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba

Threat Level: Known bad

The file df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba was found to be: Known bad.

Malicious Activity Summary

healer redline down discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Redline family

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:56

Reported

2024-11-10 02:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe
PID 2360 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe
PID 2360 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe
PID 2664 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe
PID 2664 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe
PID 2664 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe
PID 224 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe
PID 224 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe
PID 224 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe
PID 224 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe
PID 224 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe
PID 2664 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe
PID 2664 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe
PID 2664 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe

"C:\Users\Admin\AppData\Local\Temp\df5082a493cad2c73f1584c70ca7ebfdccfbc8e96dcc00effba7b7a90c7e2cba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 74.208.201.84.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7877.exe

MD5 832cb231df11404356108647f5374629
SHA1 fead44eb78cdcaf1ba66e1de72607c8aabfa3082
SHA256 6f46f3e004463d40bb14f275b877c338f8c200b5bd51dd51aed4479b0a4ee2c0
SHA512 9ba8f3cfbbed298e7517c23bea2d8d512af0173028e8fc3d8d9b73f22e636f184d295a85d334977d0c0d29d5465e07798277ed7fc596ae968a36cea8e64556de

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio4438.exe

MD5 f506e211409479ca72815e0e539ae3a5
SHA1 a15ead08a49d41146aa6c54046fa0d2e31c4d5fb
SHA256 55f71e9879a83786b247cf7600414bd2bbbc1d10a2fdc78444809f8adc3ebb10
SHA512 91ec5985f44f1cb9a73849efd2a74e870bb14b8c8b2b88330c22b3eb506603a862bff02a14be22e9c41a5ae3b6c8f9ad399cc22ed4f3941ca43a50ec705152f2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3432.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5072-21-0x00007FFCBFCB3000-0x00007FFCBFCB5000-memory.dmp

memory/5072-22-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/5072-23-0x00007FFCBFCB3000-0x00007FFCBFCB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5800.exe

MD5 6552d9def5ba5abef75b333bb4eec534
SHA1 63c4515ff01e34738fb63159730a73ca8cbee3db
SHA256 bf82d677dea659d60376cf663be3b6a9023c45cdbce553fbdca029b4933cca9b
SHA512 d376f3122ababdab1a36dbde864233d60fcc11e52631e5b3c62bf164173722c3760846aaa3c16ad5a533b3cb59385bb81fb68bad4f79a2176eead2e7a6cc8ae0

memory/1544-29-0x0000000002640000-0x000000000265A000-memory.dmp

memory/1544-30-0x0000000004DF0000-0x0000000005394000-memory.dmp

memory/1544-31-0x0000000004CC0000-0x0000000004CD8000-memory.dmp

memory/1544-32-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-41-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-59-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-57-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-55-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-53-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-49-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-47-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-45-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-43-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-39-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-37-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-35-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-33-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-51-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/1544-60-0x0000000000400000-0x0000000000726000-memory.dmp

memory/1544-62-0x0000000000400000-0x0000000000726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rmQ07s01.exe

MD5 da466bcac0bc81cca6fa77b6632532de
SHA1 89231d9f3dafd00adfa8af8aaf20c26fc4d46add
SHA256 0e084461df1420f3e7de2cce4ebb53bd17b0afe90af863e54d9703e9099887f9
SHA512 48313140a272cde913e5b8067cf58acaf5c387be11d41847183b83ec2a4f8c40780ee46fcbd4aa4dec2446dece8051d06714c5dc2e0f98d8bf8cad1da8cc73f1

memory/2844-67-0x0000000002710000-0x0000000002756000-memory.dmp

memory/2844-68-0x00000000029D0000-0x0000000002A14000-memory.dmp

memory/2844-82-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-84-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-102-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-98-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-96-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-94-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-92-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-90-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-88-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-86-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-80-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-78-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-76-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-100-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-74-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-72-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-70-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-69-0x00000000029D0000-0x0000000002A0E000-memory.dmp

memory/2844-975-0x00000000053B0000-0x00000000059C8000-memory.dmp

memory/2844-976-0x0000000005A10000-0x0000000005B1A000-memory.dmp

memory/2844-978-0x0000000005B70000-0x0000000005BAC000-memory.dmp

memory/2844-977-0x0000000005B50000-0x0000000005B62000-memory.dmp

memory/2844-979-0x0000000005CC0000-0x0000000005D0C000-memory.dmp