Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hlgshavhka
Target e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623
SHA256 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623

Threat Level: Known bad

The file e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623 was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Healer family

RedLine

RedLine payload

Redline family

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:49

Reported

2024-11-11 06:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe
PID 3324 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe
PID 3324 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe
PID 1660 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe
PID 1660 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe
PID 1660 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe
PID 1660 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe
PID 1660 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe
PID 1944 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe C:\Windows\Temp\1.exe
PID 1944 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe C:\Windows\Temp\1.exe
PID 1944 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe C:\Windows\Temp\1.exe
PID 3324 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe
PID 3324 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe
PID 3324 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe

"C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1944 -ip 1944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe

MD5 f7ebbc4c52f0ade16b33bc23be0db045
SHA1 1474a26eee3ffacc267fb7ee7e9bb5502c8ac454
SHA256 36f9addac891ee2cc262eeac725de41ce3a57a2be160b174182eca981303266d
SHA512 1f5c18277728747f2e4ff1aedc7ce7851d06642afb3056987c1c4fd12435e5298ca5c6cb3aab090eab6060d9e9d7d7724ddd81907ff1c7d78fe4f0c634ff367b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe

MD5 63e82dedacf4746ece8ab970e4554ed7
SHA1 4618d8b778cab80c6f8b36d9b913b5db97ebd7c8
SHA256 97dfa4d777fc85f88bb2313b98ffc7b076279f1c9a1ab2f43f13ef3f4fcdd408
SHA512 d31eb702b340522ef242246c49538e44ec933c9f0aaddad725681eb19d5b4b6afe2f1f06a6f1e0dfcd9fe8c005f817dc395a1a2ac2db92eafe84d6c134030b31

memory/4516-14-0x00007FFD776A3000-0x00007FFD776A5000-memory.dmp

memory/4516-15-0x0000000000250000-0x000000000025A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe

MD5 40fc922d2a6ec7f62f53ecad05f1b820
SHA1 7c1e80f0a41438fd430ad275fad4e40f1a786721
SHA256 3c1da8b14ca4bc89b4efe0b019f33a96214bd9a11bd54806a0150662da200d2b
SHA512 513a43f00553a8749405e9ea119489f070f61e06d9edfb8d5532b5e4a3457ed028afa9a5e2918c9653c627ba8b3fa431f520338433a5dc5e46e5f90c107f80b1

memory/1944-21-0x00000000025B0000-0x0000000002616000-memory.dmp

memory/1944-22-0x0000000004DB0000-0x0000000005354000-memory.dmp

memory/1944-23-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/1944-25-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-37-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-87-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-85-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-81-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-79-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-77-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-75-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-73-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-71-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-69-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-67-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-65-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-63-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-61-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-59-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-57-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-55-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-51-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-49-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-47-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-45-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-43-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-41-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-39-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-35-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-33-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-31-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-29-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-27-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-83-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-53-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-24-0x0000000005360000-0x00000000053BF000-memory.dmp

memory/1944-2104-0x0000000005550000-0x0000000005582000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4428-2117-0x00000000001F0000-0x0000000000220000-memory.dmp

memory/4428-2118-0x0000000000B50000-0x0000000000B56000-memory.dmp

memory/4428-2119-0x00000000051A0000-0x00000000057B8000-memory.dmp

memory/4428-2120-0x0000000004C90000-0x0000000004D9A000-memory.dmp

memory/4428-2121-0x0000000004B80000-0x0000000004B92000-memory.dmp

memory/4428-2122-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

memory/4428-2123-0x0000000004C20000-0x0000000004C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe

MD5 403d894c45f0d384cec5dca0cec06bd9
SHA1 33014a4321c8b6e120f47b1d89314853ad0239d4
SHA256 e77cc69ef7c57c5d40e30ca5075fb7f129633fbd1de602f2bdc96298dde723e7
SHA512 a11219a268291a3255e081b47c7dfe2af23cb16a067087198c840b72d9e22de773b7d54e4d822c6ebdf2b662de2e197639d8060605e79558cd836be69edbf3fc

memory/4236-2128-0x0000000000AA0000-0x0000000000ACE000-memory.dmp

memory/4236-2129-0x0000000002CC0000-0x0000000002CC6000-memory.dmp