Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hkkg1atqey
Target 8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59
SHA256 8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59
Tags
healer redline mazda discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59

Threat Level: Known bad

The file 8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59 was found to be: Known bad.

Malicious Activity Summary

healer redline mazda discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

RedLine

Redline family

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:47

Reported

2024-11-11 06:50

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe
PID 1108 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe
PID 1108 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe
PID 4784 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe
PID 4784 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe
PID 4784 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe
PID 3288 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe
PID 3288 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe
PID 3288 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe
PID 3076 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe
PID 3076 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe
PID 3076 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe
PID 184 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe
PID 184 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe
PID 184 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe
PID 184 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe
PID 184 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe
PID 184 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe

"C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1344 -ip 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe

MD5 c1a5446c98f644c3065b1ff16dada540
SHA1 38dd3f76f26e6843487f20c8eebc458c48622cd8
SHA256 117e3f27b31180ec01d8045782cea955c7bdaaa42cdad90c71e3631707285601
SHA512 2a6f25acf537023855d3929a592d729410ca8f39c7c470f3418e033b7fd7246257f3b02cdad0ba1a7a535c7809ab82fc3f040f7ca9b742c012032fad4c29dc38

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe

MD5 5a5a88321a9855e4e0332c9c5adf4588
SHA1 4880656779da2c7605eab11f1dfe22e2e1566fa3
SHA256 9cb0c91f9f865101df89359c07ab32149de8f0001f57104f151a3489a72220a1
SHA512 2a255a41388f2668a33ffda0e56f32a1ba4ad8b0f75870e9a78f68acd02f9609e294dc264538183a9f85a951ead2687401be02c7a18270ad19e9eefbfb0e5dd6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe

MD5 da3a2daf8f678b8736e0a4b3b45aba32
SHA1 2cae98a9991e594154787ff2fefac4586d93b59d
SHA256 71aaa630e14a04aca23e684867fc5cffa3c8f91d7bb84a4174440dddf97bbc5c
SHA512 36f088cb74d020a2cf709e41ac84530e4d8cf80295da1f24ea99f4bdd928cad160b8463e3d81ee4da7888d67284615c3a1e6beb969e47d68280a65f2e7e22acf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe

MD5 1ee1e17e077d161c03cedc79b8065fdc
SHA1 05bda9d3e9b3b5558a0f4853d5b64d7b9c323827
SHA256 7281e30330185564815cdd0866a89a20ecb006fc144b167962d8720264f1432b
SHA512 a549b96144945509ecdba1f8666337f4a20786d2b14507bf32f82fc882bf114cb8d4130904b06f56cc11e6a3a3632c03cdb6280138a65c04ff171bfffa363944

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe

MD5 994cbfd6eb427096de5b7ae75430ae62
SHA1 1f3e664226df45c9a4e1eb4a76674d47d894af93
SHA256 b91324af2df66e0c50d991235a54cb43d4a6db4e183cf978b0980f5e0d24104e
SHA512 cfaa29000b5d750cf17698fb1a42a1d596b609d3eb682699275ac2f79f835b737541478127616b8c2008ada02e832aa78f6bbe624fc646e6ecde14f77e4ec3f6

memory/1344-36-0x0000000004D50000-0x0000000004D6A000-memory.dmp

memory/1344-37-0x0000000004D80000-0x0000000005324000-memory.dmp

memory/1344-38-0x0000000005390000-0x00000000053A8000-memory.dmp

memory/1344-66-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-64-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-62-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-60-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-58-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-56-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-55-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-52-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-50-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-48-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-46-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-45-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-42-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-40-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-39-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/1344-67-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/1344-69-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe

MD5 bec2367794b115f6e4fcfeb223fcd261
SHA1 36b460576d4f709ad077741b5a8bb1c95c5b0a56
SHA256 bc986e6c654452da46c85dfaa65c094529fe707d35119498addf2fc611e62d70
SHA512 4a406a4bb2486c3476106e444e9d58d6be7656088ebe004711279b23f0a24cfc5e5d5ef974908150109b1328817040546164da7952a5d748c5356c5629b36d73

memory/872-73-0x00000000005D0000-0x0000000000600000-memory.dmp

memory/872-74-0x0000000004DB0000-0x0000000004DB6000-memory.dmp

memory/872-75-0x000000000AA00000-0x000000000B018000-memory.dmp

memory/872-76-0x000000000A580000-0x000000000A68A000-memory.dmp

memory/872-77-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

memory/872-78-0x000000000A510000-0x000000000A54C000-memory.dmp

memory/872-79-0x00000000047A0000-0x00000000047EC000-memory.dmp