healer | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
Size

662KB
MD5

ad556af301bc23d9d68e88347510597a
SHA1

33c98a0a8322aa276c825a76dfbe90eb89adb0ed
SHA256

9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24
SHA512

13b7701cdd1b901df94c7c4dafb68bd37949c822aceb29aa55d04bb5084772c9886f9e8de81e4ed221cfb6c44fa101f395120c02d520fc9fcf03e42e2b80303d
SSDEEP

12288:3Mr2y90oQvlJuZN/gE/AT4aV+nD/xybAP5fI8CR5dXyALD8J0v:RyRQvlcND/AT/V+tpP5fVCjdiALYJ0v

Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral10/memory/1548-21-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe	family_redline
behavioral10/memory/2484-25-0x0000000000100000-0x0000000000130000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

x8157062.exex9442367.exeg6603557.exei4410075.exe

pid process

3108 x8157062.exe
3272 x9442367.exe
4288 g6603557.exe
2484 i4410075.exe

pid	process
3108	x8157062.exe
3272	x9442367.exe
4288	g6603557.exe
2484	i4410075.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exex8157062.exex9442367.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8157062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9442367.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g6603557.exe

description pid process target process

PID 4288 set thread context of 1548 4288 g6603557.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2160 4288 WerFault.exe g6603557.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1548 AppLaunch.exe
1548 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1548 AppLaunch.exe

description	pid	process	target process
PID 4288 set thread context of 1548	4288	g6603557.exe	AppLaunch.exe

pid	pid_target	process	target process
2160	4288	WerFault.exe	g6603557.exe

pid	process
1548	AppLaunch.exe
1548	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1548	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exex8157062.exex9442367.exeg6603557.exe

description	pid	process	target process
PID 228 wrote to memory of 3108	228	9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe	x8157062.exe
PID 228 wrote to memory of 3108	228	9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe	x8157062.exe
PID 228 wrote to memory of 3108	228	9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe	x8157062.exe
PID 3108 wrote to memory of 3272	3108	x8157062.exe	x9442367.exe
PID 3108 wrote to memory of 3272	3108	x8157062.exe	x9442367.exe
PID 3108 wrote to memory of 3272	3108	x8157062.exe	x9442367.exe
PID 3272 wrote to memory of 4288	3272	x9442367.exe	g6603557.exe
PID 3272 wrote to memory of 4288	3272	x9442367.exe	g6603557.exe
PID 3272 wrote to memory of 4288	3272	x9442367.exe	g6603557.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 4288 wrote to memory of 1548	4288	g6603557.exe	AppLaunch.exe
PID 3272 wrote to memory of 2484	3272	x9442367.exe	i4410075.exe
PID 3272 wrote to memory of 2484	3272	x9442367.exe	i4410075.exe
PID 3272 wrote to memory of 2484	3272	x9442367.exe	i4410075.exe

C:\Users\Admin\AppData\Local\Temp\9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
"C:\Users\Admin\AppData\Local\Temp\9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 148
5⤵
- Program crash
PID:2160

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
4⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4288 -ip 4288
1⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8157062.exe
Filesize
440KB

MD5
16654be0a6b9fcc34c39b6e591340fe0

SHA1
be62555eb0ecfceea1dead4cc4374da86d433f73

SHA256
46e8bb0baf56bdb40cb17b8ad98db6d55568622f60c41273c8269b7045a2a209

SHA512
f4ac5c3d704abd49576680e3d483e7ed78ff00755eb0def9009ba8ded67aeae691f5a02c6e8b9ddd0d5ccc936e39f1efe64747d71917a9f41ed07aeb9685f10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9442367.exe
Filesize
274KB

MD5
0c9441b51f1681088cd920785936c076

SHA1
aa49e5b1b01eb77d4a2db72ed0fb57e89d0ffd51

SHA256
3895ad643b9fb1fd943dc88b1218ab1f9ab229e098eff720b9ac0dacad0a3edf

SHA512
c90dd796609f000fa192abad2fe6e11193d70b59888d1fc259f78536f1c0f079a757df2e09272fa838f228debf22081e6a2e52232400ee469982ebcd56bae355

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6603557.exe
Filesize
135KB

MD5
748d8130ad48f5c7791666eeeba868db

SHA1
cc5ff50dd58d6f4b2968cd5720e484d584adb18e

SHA256
cc955cfcc6c535c64b2e255386637f87a91821144c766cc17320c7c0b3b8efde

SHA512
daebe7c16a0dfccfa9f86ffe04f58805925a4958be4ffa1455f7376b5026c92f69d3888453ba684c60a7e68d073f7af90e9473af574c3f2ea2d4d3443eecd806

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4410075.exe
Filesize
176KB

MD5
756f51fcbebaa6ed794be46e0e615858

SHA1
856acc1832bb654eb514b7df1fa882f3c59a097f

SHA256
3f741ae6dfc446f3e5f5ba6282a1245cc4fc847ed7d21303a9b0d8553e194c38

SHA512
b1a7e093bb8cf374c14416181aacaaaa5d8203489954a3b77053dd367b720078bc47eee369dd659a062aa758c5d555547f0d791377416464e5809e279cc183d6

Download Submit
memory/1548-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2484-25-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2484-26-0x0000000002450000-0x0000000002456000-memory.dmp

Filesize
24KB

Download
memory/2484-27-0x000000000A3F0000-0x000000000AA08000-memory.dmp

Filesize
6.1MB

Download
memory/2484-28-0x0000000009F70000-0x000000000A07A000-memory.dmp

Filesize
1.0MB

Download
memory/2484-29-0x0000000009EA0000-0x0000000009EB2000-memory.dmp

Filesize
72KB

Download
memory/2484-30-0x0000000009F00000-0x0000000009F3C000-memory.dmp

Filesize
240KB

Download
memory/2484-31-0x000000000A080000-0x000000000A0CC000-memory.dmp

Filesize
304KB

Download