healer | a33c889b1929e9442a2a49de188e05a8ddbddcb32a7231b7c362f6833a45d720

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
Size

862KB
MD5

a85e4b8403f70f8c8c2a4694b484c3a8
SHA1

ee614a34528cda5db2c436bbc77247c3fe213f60
SHA256

dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff
SHA512

457c453516d49626c8f0e5e9a446962314e44c1cfa8ae5b50f0fe344590ceb2a20f53936c3d6a6aff9e0379bbe8e0b9afdb3ec994ce1ad0980620919f29b5157
SSDEEP

24576:5yRfeUF4xX+YYKqx+QgmUpqWngJeXUXDH7:ssUF4xXPY5gmRVJeX

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
behavioral21/memory/528-15-0x00000000004F0000-0x00000000004FA000-memory.dmp	healer
behavioral21/memory/528-19-0x0000000000400000-0x0000000000412000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k0819028.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0819028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0819028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0819028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0819028.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0819028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0819028.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral21/memory/1180-25-0x0000000000440000-0x0000000000470000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

y8602197.exek0819028.exel0028896.exe

pid process

3916 y8602197.exe
528 k0819028.exe
1180 l0028896.exe

pid	process
3916	y8602197.exe
528	k0819028.exe
1180	l0028896.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k0819028.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0819028.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0819028.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exey8602197.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8602197.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k0819028.exe

pid process

528 k0819028.exe
528 k0819028.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k0819028.exe

description pid process

Token: SeDebugPrivilege 528 k0819028.exe

pid	process
528	k0819028.exe
528	k0819028.exe

description	pid	process
Token: SeDebugPrivilege	528	k0819028.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exey8602197.exe

description	pid	process	target process
PID 1364 wrote to memory of 3916	1364	dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe	y8602197.exe
PID 1364 wrote to memory of 3916	1364	dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe	y8602197.exe
PID 1364 wrote to memory of 3916	1364	dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe	y8602197.exe
PID 3916 wrote to memory of 528	3916	y8602197.exe	k0819028.exe
PID 3916 wrote to memory of 528	3916	y8602197.exe	k0819028.exe
PID 3916 wrote to memory of 528	3916	y8602197.exe	k0819028.exe
PID 3916 wrote to memory of 1180	3916	y8602197.exe	l0028896.exe
PID 3916 wrote to memory of 1180	3916	y8602197.exe	l0028896.exe
PID 3916 wrote to memory of 1180	3916	y8602197.exe	l0028896.exe

C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
"C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe
3⤵
- Executes dropped EXE
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe
Filesize
679KB

MD5
38dcff455714bdb17ef60c8709fee41a

SHA1
16eeb79664bf375650e2c86424283481bbd252f1

SHA256
008c5bf896cf5af82ff2acf60395ccac2aafbec1cc9d27b23ea76b99e4fdc63b

SHA512
039d6ea2ef9666a4249580fc9e7dc632becde7f2459d4b3e8d5e7cc8d50610daeca1c88c9399c918c1cf595fda398989b01e43c75f24a1189afe9f2b9c0a073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe
Filesize
530KB

MD5
0b070eaa974b1d0f40b1ff2a74ee5627

SHA1
6b6d5b58512593ed0e01787c9008e233df1ae0cf

SHA256
ac60c61dd7faf3ea6adb47dfacc85552deac06248581476c7f3da4e8e611e1d1

SHA512
e4e1fde5b2d7b5d4ffb9d49ae500c5cd57f20dd104c6ef9d093436f948365e9f134034f0d21272e352b0e5c0679f2db4d92d50a929ea9e046bbdccd84e2846a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe
Filesize
692KB

MD5
ca19281e3856a360a4a919d0e18b53c0

SHA1
df6ff057de730f59b6edd9d6e79b53487892bb6d

SHA256
783219954200e5f28c46058a4c247e5d56102d60fe888cf1248d93650a8b64e5

SHA512
6a79e3f5dcb8e2c51ee8bd86ac002d9a59ec06b1f9e212e63f8e91e55db42d686ff3952f0ada7a4fa83c261ad1db295168398393b0dd356ab1d5d9108efb8a55

Download Submit
memory/528-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/528-15-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/528-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1180-25-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/1180-30-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/1180-31-0x000000000A010000-0x000000000A628000-memory.dmp

Filesize
6.1MB

Download
memory/1180-32-0x000000000A640000-0x000000000A74A000-memory.dmp

Filesize
1.0MB

Download
memory/1180-33-0x000000000A780000-0x000000000A792000-memory.dmp

Filesize
72KB

Download
memory/1180-34-0x000000000A7A0000-0x000000000A7DC000-memory.dmp

Filesize
240KB

Download
memory/1180-35-0x0000000002290000-0x00000000022DC000-memory.dmp

Filesize
304KB

Download