healer | 45e94c10bbc148cc1f0e810ef4a64b3b2814960515bbe6c69d8570dde960e0b2

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe
Size

863KB
MD5

9c07b9eafa5a6c98981382e139e61f33
SHA1

527012dc267ef2c160554ec2d63bb3bf498b8a87
SHA256

ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc
SHA512

3daa673fa19e3d0a05c2fc6bda3a3f51b01914ca1a4bef6a0ff7f9f883a6a3e2c86efe8e09e0236e516a729cb59150c0a01674a1a5ee6e43065fadb9dd4b1100
SSDEEP

12288:rMr7y90d2ekv6Oxnq/+4Drb0zHtcMicaYe3vzbB2sfWT4MQSWXH0tKOejh971gq8:4ymGvKpHyaNZXM3QSQt5QZXK8b

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral14/memory/1508-15-0x00000000004F0000-0x00000000004FA000-memory.dmp	healer
behavioral14/memory/1508-19-0x0000000000400000-0x0000000000412000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k2137346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2137346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2137346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2137346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2137346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2137346.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral14/memory/3776-25-0x0000000000520000-0x0000000000550000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
60	y5615045.exe
1508	k2137346.exe
3776	l6404013.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k2137346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2137346.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5615045.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	k2137346.exe
1508	k2137346.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	k2137346.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 60	1772	ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe	89
PID 1772 wrote to memory of 60	1772	ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe	89
PID 1772 wrote to memory of 60	1772	ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe	89
PID 60 wrote to memory of 1508	60	y5615045.exe	90
PID 60 wrote to memory of 1508	60	y5615045.exe	90
PID 60 wrote to memory of 1508	60	y5615045.exe	90
PID 60 wrote to memory of 3776	60	y5615045.exe	99
PID 60 wrote to memory of 3776	60	y5615045.exe	99
PID 60 wrote to memory of 3776	60	y5615045.exe	99

C:\Users\Admin\AppData\Local\Temp\ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe
"C:\Users\Admin\AppData\Local\Temp\ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5615045.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5615045.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2137346.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2137346.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6404013.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6404013.exe
    3⤵
    - Executes dropped EXE
    PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5615045.exe

Filesize
679KB

MD5
970daa7c12af3771c4198db2c1540f9b

SHA1
c121ce7f78dcffa3f9685371d5cec9b752147d4c

SHA256
1e52cce284dd0d357b0e59c03540eeeae8d3640cff7dd0486e577088af344288

SHA512
e18d0fea2c28c32ce9108b65e6fd1cb2674b19de7cd8f8128ceef7f4191e855709d6e7676acdefaf398369a4aef48a38335884e9bee86c45a075dd6b8c77fecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2137346.exe

Filesize
530KB

MD5
109963d0c4cca44ae7c3836f2864ed68

SHA1
49b63ad4a47c4d4fc3b0bdf93cac89e53603f95a

SHA256
73da900de8c9aa6086d7005e2168f53b428e6682fe916412ebf9dc1a6deedc7e

SHA512
ae6d9f4f478dc686a4cfef8036cdcecafb4152c79b19f40993713c2075719ee244cdf749fd2822a402fc3780da49661b5ba5c5b0ac58c989bc0d217ff48e7323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6404013.exe

Filesize
692KB

MD5
71d342f971de908d1f5e9f5e13709d7c

SHA1
46655f7428b46f49b437e28b2b4e0528f24ebe6c

SHA256
2f6723f3ca763621df4ed5bc7dc3663d4b45ae2e69a8ac5f2bfc1e20ab677335

SHA512
9de5d14d7664a5ab8dd9eb476dfaf6c3a49e12a2a862bba825009d29319c4cbfb9a790129e82fc817d0c7cecdfe760778a56449c71026f1860a0d2f2bc22cf88

Download Submit
memory/1508-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1508-15-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1508-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3776-25-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/3776-30-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/3776-31-0x0000000005110000-0x0000000005728000-memory.dmp

Filesize
6.1MB

Download
memory/3776-32-0x0000000004AF0000-0x0000000004BFA000-memory.dmp

Filesize
1.0MB

Download
memory/3776-33-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/3776-34-0x0000000004C20000-0x0000000004C5C000-memory.dmp

Filesize
240KB

Download
memory/3776-35-0x0000000004CC0000-0x0000000004D0C000-memory.dmp

Filesize
304KB

Download