healer | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe
Size

472KB
MD5

d6c77aee19125bf471f8b1eb16909cb7
SHA1

0abf3936ab48bba8059d076900ef8c23f9015429
SHA256

8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a
SHA512

88c00e5c2ea2c6157eb31d1b6cd38576760d17538554b948cdb7b24386dea01d6fd2c8e76a508e69e9b6cb76d0cbae8810837d2af5d69b753d03906b9be399db
SSDEEP

12288:sMrcy901CrIPDjItm3uqFGxQx/p03gPZrteZ:4y3rIPDjuXqFGxQx/p1PfeZ

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral7/memory/6096-14-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023413-17.dat	family_redline
behavioral7/memory/6104-18-0x0000000000560000-0x0000000000590000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
552	x8852769.exe
4752	g4767541.exe
6104	i3973617.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8852769.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 6096	4752	g4767541.exe	86

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4040	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6096	AppLaunch.exe
6096	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6096	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5556 wrote to memory of 552	5556	8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe	82
PID 5556 wrote to memory of 552	5556	8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe	82
PID 5556 wrote to memory of 552	5556	8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe	82
PID 552 wrote to memory of 4752	552	x8852769.exe	83
PID 552 wrote to memory of 4752	552	x8852769.exe	83
PID 552 wrote to memory of 4752	552	x8852769.exe	83
PID 4752 wrote to memory of 5956	4752	g4767541.exe	85
PID 4752 wrote to memory of 5956	4752	g4767541.exe	85
PID 4752 wrote to memory of 5956	4752	g4767541.exe	85
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 4752 wrote to memory of 6096	4752	g4767541.exe	86
PID 552 wrote to memory of 6104	552	x8852769.exe	87
PID 552 wrote to memory of 6104	552	x8852769.exe	87
PID 552 wrote to memory of 6104	552	x8852769.exe	87

C:\Users\Admin\AppData\Local\Temp\8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe
"C:\Users\Admin\AppData\Local\Temp\8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8852769.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8852769.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4767541.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4767541.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i3973617.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i3973617.exe
    3⤵
    - Executes dropped EXE
    PID:6104

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8852769.exe

Filesize
306KB

MD5
f661c89f5a8c3c5272046c13c6542e06

SHA1
65c9b5cd6dfd367a9df5d0cbee994d2b8b508dae

SHA256
05f08598ca77f10597efa9b68be4157d5260c1451b2d35aad53b055ab8b6d01f

SHA512
af4c1d62321f42d939e401215a9474ce52928ad75496403851762ca184b6565b4bebf91d3282419b4829ad6bf4a897afe380fbbb6a19716c315791f3e004035a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4767541.exe

Filesize
213KB

MD5
5a4a985aff50d94b9f53f26daaff1d12

SHA1
03cb66e7e4f618dd961e9eed3320513ec19f735f

SHA256
90ae615b3a9f1b8fe5a09eabacca08c437fd0d633be45c45436bfc4f700d5a12

SHA512
aaefed90ca9d13b41d5a4368f466ea7f021ba28ca49965786ebb42b1d3459b00c4f96bc5a4641b37ee4879b07412ec0632dcd5b99bfdcb595d07a2c424c374c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i3973617.exe

Filesize
175KB

MD5
1f4d882b945c37036eca29f2dfa08c6a

SHA1
c6765a776fd4b2ac3d929fd80a3636f355d16041

SHA256
8b7fb0e044f87fac31afc33bc134a52b6942a62441979791e00967e42d184112

SHA512
7ce0ee3391f99e7fc092fc3bc09b93ecd731e0b31d265d9f256d6adbe90f85902ee622de1048f668ab374755c94539e892634412c3a7fb0ed72669bcd03a1b83

Download Submit
memory/6096-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6104-18-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/6104-19-0x00000000027F0000-0x00000000027F6000-memory.dmp

Filesize
24KB

Download
memory/6104-20-0x0000000005540000-0x0000000005B58000-memory.dmp

Filesize
6.1MB

Download
memory/6104-21-0x0000000005030000-0x000000000513A000-memory.dmp

Filesize
1.0MB

Download
memory/6104-22-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

Filesize
72KB

Download
memory/6104-23-0x0000000004F60000-0x0000000004F9C000-memory.dmp

Filesize
240KB

Download
memory/6104-24-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

Filesize
304KB

Download