healer | 4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe
Size

657KB
MD5

e79eb1a5050b2992234fed03bb05326f
SHA1

66851ffdf1b9974c9d360cd1d3c1b33cb295dd1c
SHA256

4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c
SHA512

d0b6bd60dddd8fb61096a885d20dbfc5a0d4f05e1c7be49fd4df4b52eb43315595fb3c52f207bf7f4e349ebce9e5011927e17aa8fd26957e7dc8c668d779c04c
SSDEEP

12288:aMrWy90gvWIE9cbnxj+sY06GY8yfKIjSZud4bC5l7LIU+ECZxV/Wn6Dt:4yTvL5bxqiifhLLn+ECzft

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1368-18-0x0000000004940000-0x000000000495A000-memory.dmp	healer
behavioral1/memory/1368-20-0x0000000004B50000-0x0000000004B68000-memory.dmp	healer
behavioral1/memory/1368-48-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-46-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-44-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-42-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-40-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-38-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-36-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-34-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-32-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-30-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-28-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-26-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-24-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-22-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/1368-21-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro5258.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5258.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5258.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4624-60-0x00000000070D0000-0x0000000007116000-memory.dmp	family_redline
behavioral1/memory/4624-61-0x0000000007190000-0x00000000071D4000-memory.dmp	family_redline
behavioral1/memory/4624-95-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-93-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-91-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-89-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-87-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-85-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-83-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-81-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-79-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-77-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-75-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-73-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-71-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-69-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-67-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-65-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-63-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline
behavioral1/memory/4624-62-0x0000000007190000-0x00000000071CF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un171405.exepro5258.exequ1650.exe

pid process

3168 un171405.exe
1368 pro5258.exe
4624 qu1650.exe

pid	process
3168	un171405.exe
1368	pro5258.exe
4624	qu1650.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro5258.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5258.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exeun171405.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un171405.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3684 1368 WerFault.exe pro5258.exe

pid	pid_target	process	target process
3684	1368	WerFault.exe	pro5258.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

un171405.exepro5258.exequ1650.exe4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un171405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro5258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu1650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro5258.exe

pid process

1368 pro5258.exe
1368 pro5258.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro5258.exequ1650.exe

description pid process

Token: SeDebugPrivilege 1368 pro5258.exe
Token: SeDebugPrivilege 4624 qu1650.exe

pid	process
1368	pro5258.exe
1368	pro5258.exe

description	pid	process
Token: SeDebugPrivilege	1368	pro5258.exe
Token: SeDebugPrivilege	4624	qu1650.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exeun171405.exe

description	pid	process	target process
PID 2128 wrote to memory of 3168	2128	4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe	un171405.exe
PID 2128 wrote to memory of 3168	2128	4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe	un171405.exe
PID 2128 wrote to memory of 3168	2128	4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe	un171405.exe
PID 3168 wrote to memory of 1368	3168	un171405.exe	pro5258.exe
PID 3168 wrote to memory of 1368	3168	un171405.exe	pro5258.exe
PID 3168 wrote to memory of 1368	3168	un171405.exe	pro5258.exe
PID 3168 wrote to memory of 4624	3168	un171405.exe	qu1650.exe
PID 3168 wrote to memory of 4624	3168	un171405.exe	qu1650.exe
PID 3168 wrote to memory of 4624	3168	un171405.exe	qu1650.exe

C:\Users\Admin\AppData\Local\Temp\4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe
"C:\Users\Admin\AppData\Local\Temp\4d6cd430745d0a70438a5a22ba7296f2d8e9e4f77971f0a4242841f32e11609c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171405.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171405.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5258.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5258.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1080
4⤵
- Program crash
PID:3684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1650.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1650.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1368 -ip 1368
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171405.exe

Filesize
515KB

MD5
d9da1c7196005451e43dee1f97de4179

SHA1
6afa8c5973d3b72ee3bc21a5ef9c4cbab4cddab2

SHA256
26e3af16da4f17269c0a1bfee2b4e3dc97f57111be8f17d68acda6103c8805ac

SHA512
29e28149a3d9453c36c1dcf2a98bd7e572497048189b4c9a7f1968c6bc87039dff018e87425b43e4a9c6572c1dc1c2ff222095a74f8ff93cbaba010087f135ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5258.exe

Filesize
295KB

MD5
a156e7e6e03e30ba070c4b8ac1b79cb2

SHA1
7961949997169d2422622f88e85ddeaaa1791076

SHA256
1eb6225df424a81b078cf3a679d9a73736482a908a6c020d3c4b131a1e1e48c0

SHA512
f29ab295ea357eb162c95009ed77b6c6854853f83745096b0c60b0397b9961cb5d05773ed5518e9f69a02dadd6e09b5c7d3b54092d7b36784cb5f584b47226a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1650.exe

Filesize
354KB

MD5
1de223ace33a23bd4861033069be92a5

SHA1
4205bfd01e057956168bc983e7fc1ac45c2a4514

SHA256
6d37a40f8e0aa5aea67c2c99fdc3cdfd175a2799161601d5ee1514334980bb03

SHA512
4cded42e48dae55d6ca11ee58f10f2ef67300a84c66b9ee53250fee3f1f8c0c824592544837de074b71e93a8a4a6a8cc567e2d74f33a404da6fe27f8383901b2

Download Submit
memory/1368-15-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/1368-16-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/1368-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1368-18-0x0000000004940000-0x000000000495A000-memory.dmp

Filesize
104KB

Download
memory/1368-19-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/1368-20-0x0000000004B50000-0x0000000004B68000-memory.dmp

Filesize
96KB

Download
memory/1368-48-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-46-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-44-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-42-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-40-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-38-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-36-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-34-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-32-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-30-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-28-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-26-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-24-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-22-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-21-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1368-49-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/1368-50-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/1368-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1368-51-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/1368-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1368-54-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/4624-60-0x00000000070D0000-0x0000000007116000-memory.dmp

Filesize
280KB

Download
memory/4624-61-0x0000000007190000-0x00000000071D4000-memory.dmp

Filesize
272KB

Download
memory/4624-95-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-93-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-91-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-89-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-87-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-85-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-83-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-81-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-79-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-77-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-75-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-73-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-71-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-69-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-67-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-65-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-63-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-62-0x0000000007190000-0x00000000071CF000-memory.dmp

Filesize
252KB

Download
memory/4624-968-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/4624-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4624-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/4624-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/4624-972-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download