healer | e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe
Size

661KB
MD5

304069afeff4b62a97a48065ea13f7d8
SHA1

39172d8b4cd2382e8869c2983d22839a14a70c1f
SHA256

e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125
SHA512

f94db833aa0560bc7f66f7dcd3542667bf528e21db06b4cb720a2993d96f8cb0fb280dd39e0d534ce969c276e96ad08f55ecd93c703b4e82c10e7b189d3981d1
SSDEEP

12288:IMroy9091KPriB6feaMZraQpESCUvv85PKGUNhJe46nA6OGfmgyQM8MtPg:gynG6G5rJaav85CGUfJe46nA6OGftKq

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1144-18-0x0000000003A90000-0x0000000003AAA000-memory.dmp	healer
behavioral1/memory/1144-21-0x00000000061D0000-0x00000000061E8000-memory.dmp	healer
behavioral1/memory/1144-49-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-47-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-45-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-43-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-42-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-39-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-37-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-35-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-33-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-31-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-29-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-27-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-25-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-23-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer
behavioral1/memory/1144-22-0x00000000061D0000-0x00000000061E2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4336.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4336.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4336.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4336.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4336.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4336.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4336.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4320-62-0x0000000002310000-0x0000000002356000-memory.dmp	family_redline
behavioral1/memory/4320-63-0x0000000002660000-0x00000000026A4000-memory.dmp	family_redline
behavioral1/memory/4320-69-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-79-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-97-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-95-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-93-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-91-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-89-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-87-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-85-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-83-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-77-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-75-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-73-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-71-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-81-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-67-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-65-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/4320-64-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un734124.exepro4336.exequ3209.exe

pid process

732 un734124.exe
1144 pro4336.exe
4320 qu3209.exe

pid	process
732	un734124.exe
1144	pro4336.exe
4320	qu3209.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4336.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4336.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4336.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exeun734124.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un734124.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2608 1144 WerFault.exe pro4336.exe

pid	pid_target	process	target process
2608	1144	WerFault.exe	pro4336.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pro4336.exequ3209.exee46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exeun734124.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4336.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu3209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un734124.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4336.exe

pid process

1144 pro4336.exe
1144 pro4336.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4336.exequ3209.exe

description pid process

Token: SeDebugPrivilege 1144 pro4336.exe
Token: SeDebugPrivilege 4320 qu3209.exe

pid	process
1144	pro4336.exe
1144	pro4336.exe

description	pid	process
Token: SeDebugPrivilege	1144	pro4336.exe
Token: SeDebugPrivilege	4320	qu3209.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exeun734124.exe

description	pid	process	target process
PID 3440 wrote to memory of 732	3440	e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe	un734124.exe
PID 3440 wrote to memory of 732	3440	e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe	un734124.exe
PID 3440 wrote to memory of 732	3440	e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe	un734124.exe
PID 732 wrote to memory of 1144	732	un734124.exe	pro4336.exe
PID 732 wrote to memory of 1144	732	un734124.exe	pro4336.exe
PID 732 wrote to memory of 1144	732	un734124.exe	pro4336.exe
PID 732 wrote to memory of 4320	732	un734124.exe	qu3209.exe
PID 732 wrote to memory of 4320	732	un734124.exe	qu3209.exe
PID 732 wrote to memory of 4320	732	un734124.exe	qu3209.exe

C:\Users\Admin\AppData\Local\Temp\e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe
"C:\Users\Admin\AppData\Local\Temp\e46a8b70ee3d6d77321c1b5e14300bb1d85ac598e25099fa797e60b6af622125.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un734124.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un734124.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4336.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4336.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1080
4⤵
- Program crash
PID:2608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3209.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3209.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1144 -ip 1144
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un734124.exe

Filesize
518KB

MD5
504cb7d66f9431491fa9dfee6f25d4f4

SHA1
604d21bed8b827a8b85b6a5cd449fd2ab239cb27

SHA256
6ec45e681b7312c89cdb2af3a14c00a4d1ad3b4f040576c134d482125101a575

SHA512
9c3ce2dda67051c065cce3319a9f6c7fb122f4b4548890c954548af98db2feae31ee4a401cfc4934e83e9553152c973d8f891c7a32cb15fbf400b87ae61e7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4336.exe

Filesize
276KB

MD5
a10bebf4412f1f776d2c441dcf63f3e6

SHA1
7c248f0d7937ccbd4eda1d1ed96ae44f6ed8529b

SHA256
ac88737e671b87c38a595810d76006f2c6af5e6f2f94756e0eabd3d7e25ced0d

SHA512
c1c26da1d3eccd6aad7d0f69e1242a07d710aab2952f581af50f1975f9b7b3d6c3e1b771ac64f03a950eb4e000dde8eade7ef40e49e1268a424dca5ee86b8b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3209.exe

Filesize
295KB

MD5
5240a71ac1e653f67aa3d218f4ac54f8

SHA1
79324cf9e227e25f6e7db75fc2d31b5ff6565ae5

SHA256
c44ca224231f1d5b21ca41210652e5e20cad1af664164ce823dabdab9222e288

SHA512
6bb313b736187b688c566e6cde0e7090d3ce9e7c44c8cd1845b1f702f3029bba2b010c7e6984daa3b48fab7e78ad595601f9f3845b61b5abb83891b31d5d9266

Download Submit
memory/1144-15-0x0000000001CC0000-0x0000000001DC0000-memory.dmp

Filesize
1024KB

Download
memory/1144-16-0x0000000001C40000-0x0000000001C6D000-memory.dmp

Filesize
180KB

Download
memory/1144-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-18-0x0000000003A90000-0x0000000003AAA000-memory.dmp

Filesize
104KB

Download
memory/1144-19-0x0000000000400000-0x0000000001ADC000-memory.dmp

Filesize
22.9MB

Download
memory/1144-20-0x0000000006210000-0x00000000067B4000-memory.dmp

Filesize
5.6MB

Download
memory/1144-21-0x00000000061D0000-0x00000000061E8000-memory.dmp

Filesize
96KB

Download
memory/1144-49-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-47-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-45-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-43-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-42-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-39-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-37-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-35-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-33-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-31-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-29-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-27-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-25-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-23-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-22-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1144-50-0x0000000001CC0000-0x0000000001DC0000-memory.dmp

Filesize
1024KB

Download
memory/1144-51-0x0000000001C40000-0x0000000001C6D000-memory.dmp

Filesize
180KB

Download
memory/1144-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-57-0x0000000000400000-0x0000000001ADC000-memory.dmp

Filesize
22.9MB

Download
memory/4320-62-0x0000000002310000-0x0000000002356000-memory.dmp

Filesize
280KB

Download
memory/4320-63-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/4320-69-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-79-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-97-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-95-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-93-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-91-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-89-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-87-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-85-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-83-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-77-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-75-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-73-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-71-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-81-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-67-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-65-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-64-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/4320-970-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/4320-971-0x0000000004BB0000-0x0000000004CBA000-memory.dmp

Filesize
1.0MB

Download
memory/4320-972-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/4320-973-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/4320-974-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download