Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-gqmzmstlcw
Target f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8
SHA256 f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8
Tags
healer redline ruzhpe discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8

Threat Level: Known bad

The file f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8 was found to be: Known bad.

Malicious Activity Summary

healer redline ruzhpe discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Redline family

RedLine

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:00

Reported

2024-11-11 06:03

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe
PID 1744 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe
PID 1744 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe
PID 440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe
PID 440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe
PID 440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe
PID 440 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe
PID 440 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe
PID 440 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe

"C:\Users\Admin\AppData\Local\Temp\f11216fdc1245867881403846609d2f7727dfba1b713a495cf867f6b871b15b8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yceL52PD30.exe

MD5 5a4280594a93ca558918583231fb9241
SHA1 a936f7424b5f6c4926001bffe1759c36d217623b
SHA256 14249036212f569d3126bdf684ff33bb6b6c9389c1668e2019ae5a75985a4270
SHA512 ab5f0b62e41b601a4956ebc2e74ad89b4a80ab01c5b5761f2eb91423b89a0cbe32c1fbd55172cffc27c864ee89a9dc0fffb2bbb7a553fa6760262cc4e47c6ca8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVu48xm97.exe

MD5 e86d6512a605f1fcd0435b9d980a7473
SHA1 3c256c47fc1b8d43a2e64ed7463e47301178380d
SHA256 4d3feae0f76c5b673ad0b420fb396e931e93d9bf08629742e2f1a47716ad4ad3
SHA512 be1b75490e6a8534eaed0ecb8516ad73e95542787d7123ca205ac52a82637abafe7c44479e2d994e10a221c0b7fe193f3c881d660485a0f415246aa70e7b7d78

memory/3008-15-0x0000000000820000-0x0000000000920000-memory.dmp

memory/3008-17-0x0000000000400000-0x0000000000582000-memory.dmp

memory/3008-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3008-18-0x0000000000400000-0x0000000000582000-memory.dmp

memory/3008-19-0x0000000002350000-0x000000000236A000-memory.dmp

memory/3008-20-0x0000000004BF0000-0x0000000005194000-memory.dmp

memory/3008-21-0x00000000023A0000-0x00000000023B8000-memory.dmp

memory/3008-25-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-47-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-45-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-44-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-41-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-39-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-37-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-35-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-33-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-31-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-29-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-27-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-49-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-22-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-23-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3008-50-0x0000000000820000-0x0000000000920000-memory.dmp

memory/3008-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3008-54-0x0000000000400000-0x0000000000582000-memory.dmp

memory/3008-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrRC30RW34.exe

MD5 c399447de03079c2f5c1482ddeb1706b
SHA1 dbeaa79a4b8e1190fc5c054b408948631dac089c
SHA256 afce08c2456f2f7a0ca5d02fca432a29b387b7f1d6fb1d58c6fc6da96749f7d7
SHA512 3f7001cfb7e54a471786f96c6788858718b867cdcd9c2caabd19018f74228461bcfa45211c11e5a541fdb4fd6c4ff0c330e6b6c8734304d670fc393072480b3c

memory/4180-60-0x00000000024C0000-0x0000000002506000-memory.dmp

memory/4180-61-0x0000000004BC0000-0x0000000004C04000-memory.dmp

memory/4180-65-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-77-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-95-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-93-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-91-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-89-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-85-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-83-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-81-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-79-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-75-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-74-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-71-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-69-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-67-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-87-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-63-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-62-0x0000000004BC0000-0x0000000004BFE000-memory.dmp

memory/4180-968-0x0000000005230000-0x0000000005848000-memory.dmp

memory/4180-969-0x0000000005870000-0x000000000597A000-memory.dmp

memory/4180-970-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4180-971-0x00000000059D0000-0x0000000005A0C000-memory.dmp

memory/4180-972-0x0000000005B20000-0x0000000005B6C000-memory.dmp