healer | 9e6840bd3bfa0c2d9dfc16193a3b67abf16bf84ffe374e1276540d1b8f3dd9fc

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe
Size

539KB
MD5

0a62172ecf9e400da1d1e36aec9ad750
SHA1

be2da4c89ce1379381587b261cb128b2dfbd05ea
SHA256

9e6840bd3bfa0c2d9dfc16193a3b67abf16bf84ffe374e1276540d1b8f3dd9fc
SHA512

e1006419e103d629277090c24d892efb8e60304bbc578266dd8ee87a1d13f437ebca5e4a872b28f20124efc9c16873e0caecedea685a8ce084213507be25b215
SSDEEP

12288:FQCy90Yh85xXh8uOm0i8TmUSMYPOsjmMrTF3VHp7:3y3h4tOGPOsjxF/

Score

10^/10

healer redline down dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023409-13.dat	healer
behavioral1/memory/4688-14-0x0000000000100000-0x000000000010A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr843883.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr843883.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4548-21-0x00000000049B0000-0x00000000049F6000-memory.dmp	family_redline
behavioral1/memory/4548-23-0x00000000072B0000-0x00000000072F4000-memory.dmp	family_redline
behavioral1/memory/4548-27-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-33-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-31-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-29-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-61-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-51-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-41-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-25-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-24-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-37-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-87-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-85-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-83-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-81-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-79-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-77-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-75-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-73-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-71-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-69-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-67-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-65-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-63-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-59-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-57-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-55-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-53-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-49-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-47-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-45-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-43-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-39-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-35-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2164	zioS8112.exe
4688	jr843883.exe
4548	ku603074.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr843883.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zioS8112.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4688	jr843883.exe
4688	jr843883.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	jr843883.exe
Token: SeDebugPrivilege	4548	ku603074.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2164	1696	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe	84
PID 1696 wrote to memory of 2164	1696	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe	84
PID 1696 wrote to memory of 2164	1696	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe	84
PID 2164 wrote to memory of 4688	2164	zioS8112.exe	85
PID 2164 wrote to memory of 4688	2164	zioS8112.exe	85
PID 2164 wrote to memory of 4548	2164	zioS8112.exe	94
PID 2164 wrote to memory of 4548	2164	zioS8112.exe	94
PID 2164 wrote to memory of 4548	2164	zioS8112.exe	94

C:\Users\Admin\AppData\Local\Temp\0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioS8112.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioS8112.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku603074.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku603074.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioS8112.exe

Filesize
396KB

MD5
c7862c80a78bedc7318792a04865087f

SHA1
7f8b619d60ac89da3d212db71a0753d4bc0b3cf0

SHA256
8402d3c51804699a1dad4e6f5cfcea8aa91cdc812c0ec0ed944641a655a4dcdb

SHA512
da92687f4ba21a7a40daced52fea13c5219eedbb39859120c76b87c367df1256d6858af7312e8e32376415b432432aaa20169c5679b319a8f3a5d2d44798d59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku603074.exe

Filesize
355KB

MD5
3ec1f598da845cd62d13f4e94d836892

SHA1
a7e298c415a068e7b0f5ec114e7066ef883ed31d

SHA256
73b52cf52d7a8813ab1e45d686ceb741944df779ebcec5916c8bb97d03365798

SHA512
bbd3f0e6d9af08f0a6bc245653144fdea533ca8b1cff912413142e9e8cf4444e058796ddfa87fa9742f2ea50fc9e3ab4e1205ecb8e35f2e9a1e5f4dff349cb25

Download Submit
memory/4548-79-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-22-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/4548-21-0x00000000049B0000-0x00000000049F6000-memory.dmp

Filesize
280KB

Download
memory/4548-75-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-23-0x00000000072B0000-0x00000000072F4000-memory.dmp

Filesize
272KB

Download
memory/4548-27-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-33-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-31-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-29-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-61-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-51-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-41-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-25-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-24-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-37-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-73-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-85-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-83-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-81-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-934-0x0000000008250000-0x000000000829C000-memory.dmp

Filesize
304KB

Download
memory/4548-933-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/4548-77-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-87-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-71-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-69-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-67-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-65-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-63-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-59-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-57-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-55-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-53-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-49-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-47-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-45-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-43-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-39-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-35-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-930-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/4548-931-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/4548-932-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/4688-15-0x00007FFF0B0E3000-0x00007FFF0B0E5000-memory.dmp

Filesize
8KB

Download
memory/4688-14-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download