healer | 1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe
Size

530KB
MD5

93fb59c2d87524e6049eb196190ee698
SHA1

66f2a78a55ecc35c05ee541ff40ae071c334d92a
SHA256

1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1
SHA512

7549b8e096eb76e08acc9febbeba5b858e27c202251af3c7861e0638d9474cf76e7e6ad88e31dbedbe973465618565908a10a0d438380e327038f249f1725d56
SSDEEP

12288:r4MrAy90QJMoRwA5R2DetO41Vwm4kRzy26:royBwA56KO41GURf6

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr578961.exe	healer
behavioral1/memory/1484-15-0x0000000000ED0000-0x0000000000EDA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr578961.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr578961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr578961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr578961.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr578961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr578961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr578961.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4576-21-0x0000000002A20000-0x0000000002A66000-memory.dmp	family_redline
behavioral1/memory/4576-23-0x0000000004E40000-0x0000000004E84000-memory.dmp	family_redline
behavioral1/memory/4576-27-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-37-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-87-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-83-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-81-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-79-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-77-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-75-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-73-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-71-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-69-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-65-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-63-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-61-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-59-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-57-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-55-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-53-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-51-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-49-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-45-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-43-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-41-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-39-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-35-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-33-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-31-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-29-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-85-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-67-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-47-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4576-24-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zihx5412.exejr578961.exeku633622.exe

pid process

1268 zihx5412.exe
1484 jr578961.exe
4576 ku633622.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr578961.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr578961.exe

pid	process
1268	zihx5412.exe
1484	jr578961.exe
4576	ku633622.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr578961.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exezihx5412.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zihx5412.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5312 sc.exe

pid	process
5312	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exezihx5412.exeku633622.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zihx5412.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku633622.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr578961.exe

pid process

1484 jr578961.exe
1484 jr578961.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr578961.exeku633622.exe

description pid process

Token: SeDebugPrivilege 1484 jr578961.exe
Token: SeDebugPrivilege 4576 ku633622.exe

pid	process
1484	jr578961.exe
1484	jr578961.exe

description	pid	process
Token: SeDebugPrivilege	1484	jr578961.exe
Token: SeDebugPrivilege	4576	ku633622.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exezihx5412.exe

description	pid	process	target process
PID 2460 wrote to memory of 1268	2460	1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe	zihx5412.exe
PID 2460 wrote to memory of 1268	2460	1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe	zihx5412.exe
PID 2460 wrote to memory of 1268	2460	1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe	zihx5412.exe
PID 1268 wrote to memory of 1484	1268	zihx5412.exe	jr578961.exe
PID 1268 wrote to memory of 1484	1268	zihx5412.exe	jr578961.exe
PID 1268 wrote to memory of 4576	1268	zihx5412.exe	ku633622.exe
PID 1268 wrote to memory of 4576	1268	zihx5412.exe	ku633622.exe
PID 1268 wrote to memory of 4576	1268	zihx5412.exe	ku633622.exe

C:\Users\Admin\AppData\Local\Temp\1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe
"C:\Users\Admin\AppData\Local\Temp\1f0504fabd4a01bcd326323516dde2f489aa60e333f1dd725132dfe81b54aca1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihx5412.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihx5412.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr578961.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr578961.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku633622.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku633622.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihx5412.exe

Filesize
387KB

MD5
949056d4e5eda0c2bc8adba8f293ca00

SHA1
3e333c2a0c814e17524da0b0c9659feab03ac6d1

SHA256
6c9dffd4d1bf98a51d0bc8035f3f4e74b99ba4dd7bc113dc1220a7d6c61d3e34

SHA512
117fbdf2809fc4e629e75638415e70ebfd87b362ec4b8ce1fb120053b698a6ef8d65b79e488b6148c734ba598e4484f12952833bd29b889854a67ed50e86b2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr578961.exe

Filesize
12KB

MD5
5d591efbd5148de63e755e4c92b7b3db

SHA1
42e866f021293ed336aa8ffa909f4e5c041f0eb3

SHA256
3151b5c6b7f88f059fe7a59373b2afbadba9193c20717fce197982c926e5a8ac

SHA512
d40e85d3ba945a6391bd99dab81345a9aa15e9cac7296af05e88979f58ed5a813271c64d0e4b8f58c9e1447c7c7234e19edee726605a43e7d5931a435974b34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku633622.exe

Filesize
353KB

MD5
944e2e65f88475eedd6ec3721832d24a

SHA1
71054d3631660cd7a1681ba15bfbd4a11eefe8af

SHA256
66aa177db2446eb23727966b5630bf8def2bb55535a6bb02c8bb046affdb5899

SHA512
12f823a56d2b003fab53af460af3379ca7eb4bdf3f7f71d4540a8a2e01e57128427d83df41f45da5777dd6b1d6a43011551b6cc019bb727c5d6841708afe7c5b

Download Submit
memory/1484-14-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

Filesize
8KB

Download
memory/1484-15-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

Filesize
40KB

Download
memory/4576-59-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-51-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-23-0x0000000004E40000-0x0000000004E84000-memory.dmp

Filesize
272KB

Download
memory/4576-27-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-37-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-87-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-83-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-81-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-79-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-77-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-75-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-73-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-71-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-69-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-65-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-63-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-61-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-21-0x0000000002A20000-0x0000000002A66000-memory.dmp

Filesize
280KB

Download
memory/4576-57-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-55-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-53-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-22-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download
memory/4576-49-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-45-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-43-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-41-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-39-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-35-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-33-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-31-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-29-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-85-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-67-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-47-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-24-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4576-930-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/4576-931-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4576-932-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/4576-933-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/4576-934-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download