healer | b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe
Size

652KB
MD5

61013a8cf28d3c6cef09eabf50d8abb3
SHA1

8c6477463ee8ccacc27bf75d1a321b463b239907
SHA256

b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426
SHA512

9dafd3aedf1f49cc1fc8530d11e39b03d61c4541c4aa51b581b34c366310357b95b7db14d5a54495668e09d328eaf5e004af3cb367ea35afac93ad53ff9d88c3
SSDEEP

12288:oMrJy909uY+QbTEGWaO5Z4hDtceHZ3gpgG0TIr8fvgz3PDM:xyKxbwGWd/4hD9ZGTivgzbM

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939620.exe	healer
behavioral1/memory/2348-15-0x0000000000C40000-0x0000000000C4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr939620.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr939620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr939620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr939620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr939620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr939620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr939620.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-2105-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/6228-2118-0x0000000000DE0000-0x0000000000E10000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr942314.exe	family_redline
behavioral1/memory/6444-2129-0x00000000006E0000-0x000000000070E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ku353721.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ku353721.exe

Executes dropped EXE 5 IoCs

Processes:

ziir7925.exejr939620.exeku353721.exe1.exelr942314.exe

pid process

632 ziir7925.exe
2348 jr939620.exe
1792 ku353721.exe
6228 1.exe
6444 lr942314.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr939620.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr939620.exe

pid	process
632	ziir7925.exe
2348	jr939620.exe
1792	ku353721.exe
6228	1.exe
6444	lr942314.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr939620.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ziir7925.exeb06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziir7925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6360 1792 WerFault.exe ku353721.exe

pid	pid_target	process	target process
6360	1792	WerFault.exe	ku353721.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exeziir7925.exeku353721.exe1.exelr942314.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziir7925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku353721.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lr942314.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr939620.exe

pid process

2348 jr939620.exe
2348 jr939620.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr939620.exeku353721.exe

description pid process

Token: SeDebugPrivilege 2348 jr939620.exe
Token: SeDebugPrivilege 1792 ku353721.exe

pid	process
2348	jr939620.exe
2348	jr939620.exe

description	pid	process
Token: SeDebugPrivilege	2348	jr939620.exe
Token: SeDebugPrivilege	1792	ku353721.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exeziir7925.exeku353721.exe

description	pid	process	target process
PID 4628 wrote to memory of 632	4628	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe	ziir7925.exe
PID 4628 wrote to memory of 632	4628	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe	ziir7925.exe
PID 4628 wrote to memory of 632	4628	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe	ziir7925.exe
PID 632 wrote to memory of 2348	632	ziir7925.exe	jr939620.exe
PID 632 wrote to memory of 2348	632	ziir7925.exe	jr939620.exe
PID 632 wrote to memory of 1792	632	ziir7925.exe	ku353721.exe
PID 632 wrote to memory of 1792	632	ziir7925.exe	ku353721.exe
PID 632 wrote to memory of 1792	632	ziir7925.exe	ku353721.exe
PID 1792 wrote to memory of 6228	1792	ku353721.exe	1.exe
PID 1792 wrote to memory of 6228	1792	ku353721.exe	1.exe
PID 1792 wrote to memory of 6228	1792	ku353721.exe	1.exe
PID 4628 wrote to memory of 6444	4628	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe	lr942314.exe
PID 4628 wrote to memory of 6444	4628	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe	lr942314.exe
PID 4628 wrote to memory of 6444	4628	b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe	lr942314.exe

C:\Users\Admin\AppData\Local\Temp\b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe
"C:\Users\Admin\AppData\Local\Temp\b06cace9343a57bc850006f7fd7b49644051c1607f78aa1109f53cdb37964426.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziir7925.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziir7925.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939620.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939620.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku353721.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku353721.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1176
4⤵
- Program crash
PID:6360

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr942314.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr942314.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1792 -ip 1792
1⤵
PID:6316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr942314.exe

Filesize
168KB

MD5
4eb780f03ff70eac1bf3bc5c067399d4

SHA1
4a2fb7e1d84c320ce797ee5ba241260773482717

SHA256
3dcfdf5726a51535c5bcbc60e11351e4a41f66cd6b857d6bfb751df63392bd45

SHA512
ca7291a14d29a01ff462e613090f9048cdcf88941989cc32587591a945d91e18e61dcbe21f25e8f54a2155daafa04c835da299479f241a8c3deea10f2e00e8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziir7925.exe

Filesize
497KB

MD5
7b22856997be99bdd538de790ae1f7c2

SHA1
e1de391da1edcd6595c9ac799dc0106750c54577

SHA256
cd248fe606096608dbd493fcd8913e676d18fa4e5224723626ca90653583cdaa

SHA512
c6cbe719c055ddc31ac6d5d2fd47d63b10d76e78ab42916213fa92a0d0b9733a3d49875aed57e1376ee5addfda0ab77afd594eb9964a5ffbd913a00254017906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939620.exe

Filesize
11KB

MD5
8e0231955a9251f96afc8a273e0ac97d

SHA1
a84d5dc1a0b52126d088f9b2fb37e7c899f72ea8

SHA256
c9646622c47c2ff74655b45b471dde9b60a20968fe7a485a789ada9aec7e2051

SHA512
5e2c5a7936c5fbc1cc7e7ebcaf2c6fe90cbaf0dc77940207bfda97ef6cc4507038c89fae0934b914f9e3e3a7b59aa27b13de199496565a71c037bb1d0f537828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku353721.exe

Filesize
415KB

MD5
e40258e257561040f1eeb958f42b2e6e

SHA1
032b706c118213b388c76ff27287e35f2b002942

SHA256
1916acc573d9cc009c9d9ee9d6090b81fbec894a97e60d14b5f45d3fbb8c2a1e

SHA512
4851f59264956c1dc8b6522cc0bbaa72881926334a24010c9634e05f5f973cef5807445b8cb05766eb01587fd259c5633181ca89080f9fc3caebabe7dec5196a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1792-50-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-86-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-24-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/1792-43-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-48-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-88-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-38-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-84-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-80-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-78-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-76-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-36-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-72-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-70-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-68-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-64-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-62-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-60-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-58-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-56-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-40-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-22-0x0000000004BC0000-0x0000000004C26000-memory.dmp

Filesize
408KB

Download
memory/1792-46-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-44-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-52-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-23-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/1792-74-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-34-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-32-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-30-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-82-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-66-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-54-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-28-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-26-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-25-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/1792-2105-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/2348-14-0x00007FFBA03A3000-0x00007FFBA03A5000-memory.dmp

Filesize
8KB

Download
memory/2348-15-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2348-17-0x00007FFBA03A3000-0x00007FFBA03A5000-memory.dmp

Filesize
8KB

Download
memory/6228-2118-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/6228-2119-0x0000000005700000-0x0000000005706000-memory.dmp

Filesize
24KB

Download
memory/6228-2120-0x0000000005DD0000-0x00000000063E8000-memory.dmp

Filesize
6.1MB

Download
memory/6228-2121-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/6228-2122-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/6228-2123-0x00000000057F0000-0x000000000582C000-memory.dmp

Filesize
240KB

Download
memory/6228-2124-0x0000000005830000-0x000000000587C000-memory.dmp

Filesize
304KB

Download
memory/6444-2129-0x00000000006E0000-0x000000000070E000-memory.dmp

Filesize
184KB

Download
memory/6444-2130-0x0000000002830000-0x0000000002836000-memory.dmp

Filesize
24KB

Download