Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-dkgc5axpay
Target 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f
SHA256 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f

Threat Level: Known bad

The file 6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Healer family

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:03

Reported

2024-11-10 03:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe
PID 4196 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe
PID 4196 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe
PID 4848 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe
PID 4848 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe
PID 4848 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe
PID 2756 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe
PID 2756 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe
PID 2756 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe
PID 460 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe
PID 460 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe
PID 460 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe
PID 4176 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe
PID 4176 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe
PID 4176 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe
PID 4176 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe
PID 4176 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe
PID 4176 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe

"C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe

MD5 ba79cbea9effe6dc0ee1f36fd5bec90f
SHA1 665bc0d8ff821dd8882af4029f7538eba1608e24
SHA256 8a56de00e4523b5ae1f7061c1b46d460d7d086fb8bc5e69e77b975b190350a65
SHA512 e839ffb1bf473e0d1d6d17d72e5fdc4f1bfe9d221d505830745b7c006a225860f8bd0b6e8fd83dcf8c1a0477536380ed63066819ad05f568108fa81800537281

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe

MD5 90ceb6739a3159d30167a978b04a9a86
SHA1 d5258e4e66ac3987ed911eca9623308f3596f3d1
SHA256 6ed3aef7cc439dd9e5459256166a5f09a26482691e432bd0b0331b20e408782b
SHA512 994a9053532b85b9805c82aebf1302c5d165affb405947be0697355ac458dab35a3f4e692c0838ec02db8a7c2cbf00e4a79dcc5cc16609f74104a0399d273022

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe

MD5 d24c8e45e3e1f65a7d074951239966a6
SHA1 611e4fd1a9e9a426ed2e1ae5c0eca444d3bc2717
SHA256 5f6c12f27cd904d3da2e648f30e42ff49fb9ffcfb70068a7cf6b4a19b9508baf
SHA512 61430556a034879f16e245274910b6f53c9c2b03b771ffcf001ce2dc59dfb9b6405a3fefe46d64c7eb99d71649a6722de133f30ed652b2ed971ed531b10711bc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe

MD5 a2e62b85ad312ced58cee9477867f307
SHA1 f1b3a2c94c0c06ca81bbd91f192dc112a3b16843
SHA256 59361d376b15092ef2d367801bd0b918500d9e99aea69038ac8613f92dc9077c
SHA512 4b14ffcda58bbd6d9666d3d291ddf3f42e5cf506537a030071846bd4d0c14dcc85af6a3d6ede4c0ebba806c922071fe4a25b07198d28419c64df7939d3ca1778

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe

MD5 5b18e7864656a3f338e822f80f1a22a1
SHA1 e291cd21442236df2b1bfa05c8a405f2c2dcd854
SHA256 51fe6fc09d8c6995953689fa21307777c17f47cbab07f115ab7d640330d4b875
SHA512 9cff407e452efeba01b8fdb573498eec989434df7ea33d3150b6feaee2e2238e335f648013ad1d21db67b3e3ad7aad98d028c34a24aaab61435590e8cb2811e8

memory/2876-36-0x00000000027A0000-0x00000000027BA000-memory.dmp

memory/2876-37-0x0000000004D30000-0x00000000052D4000-memory.dmp

memory/2876-38-0x0000000002940000-0x0000000002958000-memory.dmp

memory/2876-39-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-58-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-66-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-64-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-62-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-60-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-56-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-54-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-52-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-50-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-48-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-46-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-44-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-42-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-40-0x0000000002940000-0x0000000002952000-memory.dmp

memory/2876-67-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/2876-69-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe

MD5 49e7c55d8a831b3e5b44d7415fbc1ae5
SHA1 db91597221746d8e2d6331e6b68efacb05589786
SHA256 3efacae0672f2d6f33539b3c82bfd8653802bf12f69dcf25a66abda091bb003b
SHA512 3d9349978fa9d13bcbe85bbee6e56132280c4b8e71caf9482255d39f8742a6ac4065205be502b26bb22c6993fef69bee2512924e415d7c6673cab85d127d239f

memory/3604-73-0x0000000000190000-0x00000000001C0000-memory.dmp

memory/3604-74-0x00000000049B0000-0x00000000049B6000-memory.dmp

memory/3604-75-0x0000000005260000-0x0000000005878000-memory.dmp

memory/3604-76-0x0000000004D50000-0x0000000004E5A000-memory.dmp

memory/3604-77-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3604-78-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

memory/3604-79-0x0000000004D00000-0x0000000004D4C000-memory.dmp