Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-grfa7axpgq
Target dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be
SHA256 dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be

Threat Level: Known bad

The file dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:02

Reported

2024-11-11 06:04

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe
PID 3160 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe
PID 3160 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe
PID 4656 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe
PID 4656 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe
PID 4656 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe
PID 4576 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe
PID 4576 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe
PID 4576 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe
PID 4576 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe
PID 4576 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe

"C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe

MD5 3858354b8d04993efbc9908cf332adfe
SHA1 ff3922abcf6f16777720c9e050fb750430f91478
SHA256 aef7b199ad512e2e248ebb811785a7a6c274b9b7fb0a3e251217babe4d01ef1d
SHA512 0f6c8de17f83bf2692e88f0d5b2ab459970431b6554918b5c6ca752cdb6675a19c73eba49e098bf71680260fc8453ecc01d4c8cb196c88df5ac3637bd2791de0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe

MD5 ee0825cdf5cfdb06e91ca522e2a75663
SHA1 1b1d4bc34e4b8219f482d53af0fe84a5b54f3bd2
SHA256 2767936a4c6a15d76b71c2e6305f96aec19fde99333bb8ee69415e7eb6346137
SHA512 a9e58569d774f8ca77f11e152f3fb4ee12fcd30a6b11a777237dffe34c1640059ace37d2b46bff3653d42e911dfa9beded19e707d49f4d6c457420310373965f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1560-21-0x00007FF985673000-0x00007FF985675000-memory.dmp

memory/1560-22-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/1560-23-0x00007FF985673000-0x00007FF985675000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe

MD5 a78344177ef52664d674b99498c8717a
SHA1 c8bb120c471d5dbb47deda7e87f02c63e37698cc
SHA256 60e3dd1958800944a7e02b2c8f73260be3c20c0a52ce459f4d2a7e5c1953260f
SHA512 57a685c4f640786c390965e9162d9fc3bf5120d27fa9339805fcf209d67091bc44d2969e481b8ca37b600763be6797179f40a0bba4d700f30c79b91b6bf7bbfd

memory/3276-29-0x00000000027C0000-0x00000000027FC000-memory.dmp

memory/3276-30-0x0000000005020000-0x00000000055C4000-memory.dmp

memory/3276-31-0x00000000029A0000-0x00000000029DA000-memory.dmp

memory/3276-41-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-47-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-45-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-43-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-93-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-71-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-65-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-53-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-39-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-37-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-35-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-33-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-32-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-51-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-95-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-91-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-89-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-87-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-85-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-83-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-81-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-79-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-77-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-75-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-73-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-69-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-67-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-63-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-61-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-59-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-57-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-55-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-49-0x00000000029A0000-0x00000000029D5000-memory.dmp

memory/3276-824-0x0000000007950000-0x0000000007F68000-memory.dmp

memory/3276-825-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/3276-826-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/3276-827-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/3276-828-0x00000000025A0000-0x00000000025EC000-memory.dmp