Malware Analysis Report

2025-08-05 11:06

Sample ID 241111-hpn1zstrdw
Target dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9
SHA256 dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9

Threat Level: Known bad

The file dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:54

Reported

2024-11-11 06:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe
PID 2224 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe
PID 2224 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe
PID 1376 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe
PID 1376 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe
PID 1376 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe
PID 1252 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe
PID 1252 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe
PID 1252 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe
PID 1328 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe
PID 1328 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe
PID 1328 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe
PID 3348 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe
PID 3348 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe
PID 3348 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe
PID 3348 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe
PID 3348 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe
PID 3348 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe

"C:\Users\Admin\AppData\Local\Temp\dc02cb80ce04c12931090bc81f6e4653a41d2cdcb0804c4c722964eaf0399cd9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4060 -ip 4060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1800365.exe

MD5 b55ad87ef640c7d75d99a9eb142ec35d
SHA1 979b455c0e87ac54aa54d6cc3acf84e8a3eeff73
SHA256 954282ad28a8ec76ccb25f927dbdb230af8c4eac1f6774ad010ddb4b2695fe7e
SHA512 3919a0bcf7e53cd3f28f5f827dbe3c342061cd1c1fdd628a508656f959f267f37994f52b6d39e5947ff3cd2ed72432b4561d6f4abb47817ec273d07546ea12a6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0537702.exe

MD5 cdeebbf183cff42af59c3064a45a6745
SHA1 870d0575d8e685e9c8f7120ede941440b7155866
SHA256 435594a8a0f4c091777c138a33ea80d797d2f429ef32ed0daccb5a8f41f27267
SHA512 bbff02fcbeea5ab01f435d798913cc46f68f8f5c0bd13804a21820b197128fa73816fbf2e4ee5374aaa54d3be4a0a9284fcf5adc2031dcaa7a88102b6eea5958

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0742795.exe

MD5 624c2e06674925ddbf8bfc9edc5aef49
SHA1 b45310d3b36983d2dde33c5e7d670bb04b2fdf21
SHA256 22f5ffeca42e6f8f7cd8c64f2e33cb88afb3c2d25d95ac9c125375ac562de508
SHA512 fa9df26b4ae55a1745907ff39b70aef28de3413ea752529ba736e587ed8823da44b36c4d95ada3c51601d083dc916c8ba452dd51f24c9bd6609afb81a66c3955

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2381200.exe

MD5 daedbe8b6f2b882a5bf440ca550a36a2
SHA1 d445edfaa610f2dc86f707bb1c0240ae5d926939
SHA256 e14fb7b6793d508b9a1b101c4981cad6a3f4fd22506df24ac9a07b0d4623aa34
SHA512 6a7629542a1dfdb09d34df68a8b852aa72cb9f79bb660b8237c7b30d26e55ad902285662c72446060900ea30685d3d8604524c9cc50f272db97258248ea932fe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9213063.exe

MD5 d164a15a6715b1449e48992e23c75324
SHA1 44f26eca1bdba87ac73a8332637447ad4c65c438
SHA256 200f022205104eec6502c7d015fd321be23848980723e10ca994794b7db82539
SHA512 e98e5d19ffd994190b5f02f5daed75659800e43341ba09828f5ece5d0a5c7054564ea59432c77521e73c65b6996ed04f3dbacf41c1afcc4a400154e85ca4e89c

memory/4060-36-0x00000000024F0000-0x000000000250A000-memory.dmp

memory/4060-37-0x0000000004D20000-0x00000000052C4000-memory.dmp

memory/4060-38-0x0000000002910000-0x0000000002928000-memory.dmp

memory/4060-60-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-66-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-64-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-62-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-58-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-56-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-54-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-52-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-50-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-46-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-42-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-40-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-39-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-48-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-44-0x0000000002910000-0x0000000002922000-memory.dmp

memory/4060-67-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/4060-69-0x0000000000400000-0x00000000006F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5588832.exe

MD5 da341720b0eacf2badc07aa857fef144
SHA1 7be509c5a7038a34d7f03fa19a1fefb79188658d
SHA256 9c46dd8250a557918b5d62824ee9d61c7a05047cede509e9605077514c3297c7
SHA512 3c05ef2d2c92d40f28d796909a3b93ace2f8e8651f1febeaffc7718c3e8d1e30f84c972be413f05aed9ed42faec679ad965718ead4fe78e929a2011f8b9e5be0

memory/1096-73-0x0000000000C50000-0x0000000000C78000-memory.dmp

memory/1096-74-0x0000000007F20000-0x0000000008538000-memory.dmp

memory/1096-75-0x00000000079B0000-0x00000000079C2000-memory.dmp

memory/1096-76-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

memory/1096-77-0x0000000007A10000-0x0000000007A4C000-memory.dmp

memory/1096-78-0x0000000002E90000-0x0000000002EDC000-memory.dmp