healer | 3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe
Size

699KB
MD5

d80ca11b98125d9382cbd87cffac9b11
SHA1

0c820f656e419ff92d31ea02c7708e1aa515e993
SHA256

3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9
SHA512

54c82dc5c20cb48e4fef986cf6e33bd37b1398920c669da6bea1b5129170126829ee2eb859b52e3a7c8fae555e3ea9bc2e8bc60b2dca499c3c9d8996162faec3
SSDEEP

12288:qMrWy90HJqY0HpxQN/6Y2aVHefb8aKyxU/G2IYAgmKcFK+lYkouYdMxwXHCfZ0P:8yuJIHGgA+jA/9xcZlYkoCw3CfZ0P

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4460-17-0x0000000004A30000-0x0000000004A4A000-memory.dmp	healer
behavioral1/memory/4460-19-0x0000000007270000-0x0000000007288000-memory.dmp	healer
behavioral1/memory/4460-40-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-48-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-47-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-44-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-43-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-38-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-36-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-34-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-32-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-30-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-28-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-26-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-22-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-21-0x0000000007270000-0x0000000007282000-memory.dmp	healer
behavioral1/memory/4460-24-0x0000000007270000-0x0000000007282000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4899.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4899.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4899.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1364-59-0x0000000004910000-0x0000000004956000-memory.dmp	family_redline
behavioral1/memory/1364-60-0x0000000007180000-0x00000000071C4000-memory.dmp	family_redline
behavioral1/memory/1364-74-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-94-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-92-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-90-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-88-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-86-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-84-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-82-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-80-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-78-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-76-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-72-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-70-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-68-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-66-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-64-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-62-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/1364-61-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un840322.exepro4899.exequ2272.exe

pid process

1268 un840322.exe
4460 pro4899.exe
1364 qu2272.exe

pid	process
1268	un840322.exe
4460	pro4899.exe
1364	qu2272.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4899.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4899.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4899.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exeun840322.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un840322.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5408 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4336 4460 WerFault.exe pro4899.exe

pid	process
5408	sc.exe

pid	pid_target	process	target process
4336	4460	WerFault.exe	pro4899.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exeun840322.exepro4899.exequ2272.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un840322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4899.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2272.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4899.exe

pid process

4460 pro4899.exe
4460 pro4899.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4899.exequ2272.exe

description pid process

Token: SeDebugPrivilege 4460 pro4899.exe
Token: SeDebugPrivilege 1364 qu2272.exe

pid	process
4460	pro4899.exe
4460	pro4899.exe

description	pid	process
Token: SeDebugPrivilege	4460	pro4899.exe
Token: SeDebugPrivilege	1364	qu2272.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exeun840322.exe

description	pid	process	target process
PID 2388 wrote to memory of 1268	2388	3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe	un840322.exe
PID 2388 wrote to memory of 1268	2388	3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe	un840322.exe
PID 2388 wrote to memory of 1268	2388	3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe	un840322.exe
PID 1268 wrote to memory of 4460	1268	un840322.exe	pro4899.exe
PID 1268 wrote to memory of 4460	1268	un840322.exe	pro4899.exe
PID 1268 wrote to memory of 4460	1268	un840322.exe	pro4899.exe
PID 1268 wrote to memory of 1364	1268	un840322.exe	qu2272.exe
PID 1268 wrote to memory of 1364	1268	un840322.exe	qu2272.exe
PID 1268 wrote to memory of 1364	1268	un840322.exe	qu2272.exe

C:\Users\Admin\AppData\Local\Temp\3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe
"C:\Users\Admin\AppData\Local\Temp\3f3b70782e5d7955df08db16d879a1c4f96743dc719c6b4270f88d64315f30b9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840322.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840322.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4899.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4899.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1080
4⤵
- Program crash
PID:4336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2272.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2272.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4460 -ip 4460
1⤵
PID:1400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840322.exe

Filesize
557KB

MD5
1f40c3faeee11a9c2a65c9b690c3e38f

SHA1
5e1204b6c590e47091156c2aea777e0c222762a9

SHA256
9c296f647d1d9ac0decf3621b5b158d26e8fe8161cba173ec3bbf7be8eb723ce

SHA512
1f86b9272c64a4765da518377a9a507c6a5d5bfb0f895a8004b28a9bc8d53c97ac994a6110ba733207997c8c53cebbaa6c4682f39f1cf10211ef79bd7134faf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4899.exe

Filesize
356KB

MD5
67cc7da7fa9e7c6aa8ea5ea75fa42180

SHA1
0181133df66a625b7fc76fbfd5799ec3ac71a5a5

SHA256
c6f996b72db9d0ee3fcfde2e0dd9e104fc06d3f5d5f13929206f7c07618b96d2

SHA512
cd43ca753a67585caa404b8684a6582b69979ff43a86e3d87e8181143852c3f82d80e181a8f5a4f04b01d153c3fc402f616736e97694c5a9e8a1fce7018c8793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2272.exe

Filesize
333KB

MD5
c8ffac403c2853645deb704457b435c3

SHA1
576f8327cdd8a51e037410f85f7ad9d51f8c7a00

SHA256
0a604a55bb9d1dbc7430e0cc0694852840a50ca34ec4d7d94acd36359d995609

SHA512
feaea5a04799a47d0e551b58ebe920c3a5dfaa2f4d07e124ecc9f693d9730dc9481c463e5b5b47d5897083ded5fc8a383565628dce41094af0b12b5bd4603207

Download Submit
memory/1364-72-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-78-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-968-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/1364-967-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/1364-61-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-62-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-64-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-66-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-68-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-70-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-970-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/1364-971-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download
memory/1364-76-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-969-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/1364-80-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-82-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-84-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-86-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-88-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-90-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-92-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-94-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-74-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/1364-60-0x0000000007180000-0x00000000071C4000-memory.dmp

Filesize
272KB

Download
memory/1364-59-0x0000000004910000-0x0000000004956000-memory.dmp

Filesize
280KB

Download
memory/4460-38-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4460-53-0x0000000000400000-0x0000000002B86000-memory.dmp

Filesize
39.5MB

Download
memory/4460-51-0x0000000000400000-0x0000000002B86000-memory.dmp

Filesize
39.5MB

Download
memory/4460-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4460-49-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

Filesize
1024KB

Download
memory/4460-24-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-21-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-22-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-26-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-28-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-30-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-32-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-34-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-36-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-43-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-44-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-47-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-48-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-40-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4460-19-0x0000000007270000-0x0000000007288000-memory.dmp

Filesize
96KB

Download
memory/4460-20-0x0000000000400000-0x0000000002B86000-memory.dmp

Filesize
39.5MB

Download
memory/4460-18-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/4460-17-0x0000000004A30000-0x0000000004A4A000-memory.dmp

Filesize
104KB

Download
memory/4460-15-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

Filesize
1024KB

Download
memory/4460-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download