healer | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe
Size

488KB
MD5

b4456f54d46a916c787fee11c2735e5e
SHA1

3386c3cc568dd8a18630c83d0290a291ba4d4768
SHA256

2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3
SHA512

d89d7cc89c1cdc5c3c57cc88ed1703debdd71c8dbfe54f88969e7c9d779e4b63b69dbf920da74d6ea25026a26eacd5366898a14a9a68f0b82aaf68cd89450d89
SSDEEP

12288:6MrMy90Ra4LuBX9x408STlV23wI0wosCZa:Sy1hX9eSL2AI0hsCZa

Score

10^/10

healer redline virad dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2140-14-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe	family_redline
behavioral4/memory/3956-19-0x00000000002D0000-0x0000000000300000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x6894777.exeg7366959.exei8891989.exe

pid process

3804 x6894777.exe
3516 g7366959.exe
3956 i8891989.exe

pid	process
3804	x6894777.exe
3516	g7366959.exe
3956	i8891989.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exex6894777.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6894777.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g7366959.exe

description pid process target process

PID 3516 set thread context of 2140 3516 g7366959.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3256 3516 WerFault.exe g7366959.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2140 AppLaunch.exe
2140 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2140 AppLaunch.exe

description	pid	process	target process
PID 3516 set thread context of 2140	3516	g7366959.exe	AppLaunch.exe

pid	pid_target	process	target process
3256	3516	WerFault.exe	g7366959.exe

pid	process
2140	AppLaunch.exe
2140	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2140	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exex6894777.exeg7366959.exe

description	pid	process	target process
PID 1648 wrote to memory of 3804	1648	2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe	x6894777.exe
PID 1648 wrote to memory of 3804	1648	2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe	x6894777.exe
PID 1648 wrote to memory of 3804	1648	2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe	x6894777.exe
PID 3804 wrote to memory of 3516	3804	x6894777.exe	g7366959.exe
PID 3804 wrote to memory of 3516	3804	x6894777.exe	g7366959.exe
PID 3804 wrote to memory of 3516	3804	x6894777.exe	g7366959.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3516 wrote to memory of 2140	3516	g7366959.exe	AppLaunch.exe
PID 3804 wrote to memory of 3956	3804	x6894777.exe	i8891989.exe
PID 3804 wrote to memory of 3956	3804	x6894777.exe	i8891989.exe
PID 3804 wrote to memory of 3956	3804	x6894777.exe	i8891989.exe

C:\Users\Admin\AppData\Local\Temp\2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe
"C:\Users\Admin\AppData\Local\Temp\2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 148
4⤵
- Program crash
PID:3256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe
3⤵
- Executes dropped EXE
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3516 -ip 3516
1⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe
Filesize
322KB

MD5
357c9d1b11bb54f0ceee235e799a57f0

SHA1
768fdee562dcfc3d75b5776a20fae7ef21de5365

SHA256
b586c245950108152ecaa3de4d096bce7c135b1728e239f41d77addae714d719

SHA512
c276bc9647542e9e1547306e93130f6e2c01e0e16f28589b48fe9cb6d03e4da6fe0a32eb7b3d026e9b9e757139297fdfaad5e8f302d07993e8eeff2dbb127188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe
Filesize
228KB

MD5
9bfd0a60c784aa4c49a35bfe5d05e239

SHA1
9fab6ca87c5fe550fca76942b029f858dc694fb7

SHA256
e8b0c37aa06e643d671d14772d1e0171e483a50effebb40e4bb4a4ffdcd91ab8

SHA512
06e7bdb928632f5448b2df78188aa7cf4a9a1d1843d7930f0a2226becf56c1f8925f7294d297e9e9aa914aed96325adb504d23a4e8f885fbcac4040d1a2c46c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe
Filesize
175KB

MD5
5dc41ff83ff2780d1205fb71ac826c24

SHA1
2285a27913b0fa18f5d3642a73de9e8a6a54eb52

SHA256
b7c282b7d35a72e352057fb6972e1f085c12528660cbdb4938a4df85723793fc

SHA512
69dc5891313039573e938baf311a7ae25bdd15671f1ac9f7e2ddd04145e06fb886206b072f611782d6ab13175414653c1306cab2f7fce03a12c88a9255e7f794

Download Submit
memory/2140-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2140-15-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/3956-19-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/3956-20-0x0000000000D10000-0x0000000000D16000-memory.dmp

Filesize
24KB

Download
memory/3956-21-0x000000000A690000-0x000000000ACA8000-memory.dmp

Filesize
6.1MB

Download
memory/3956-22-0x000000000A180000-0x000000000A28A000-memory.dmp

Filesize
1.0MB

Download
memory/3956-23-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/3956-24-0x000000000A0F0000-0x000000000A12C000-memory.dmp

Filesize
240KB

Download
memory/3956-25-0x000000000A130000-0x000000000A17C000-memory.dmp

Filesize
304KB

Download