healer | 9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe
Size

689KB
MD5

570b8ae73e40f357ef4737e9901ceb96
SHA1

8b346cf869ec47ffd005bf5adc4520c9b72129d5
SHA256

9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769
SHA512

cc9e6bf7398ab36e0b48973232c715b9926283aa2c507f2d3417defa557efaaadff8c65ca650009d071ff552c87cc084c4bc7cb9749111d11b11044b79ae1ef4
SSDEEP

12288:mMrUy90FZhhpVeQX6fFy7MEGg6JByY65hLunoM1+D224YxKCU+evQFawfigh8B7d:uyoHQQqfFCMvyXfaz+D2AeoawaghuSm

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4884-19-0x00000000026B0000-0x00000000026CA000-memory.dmp	healer
behavioral1/memory/4884-21-0x0000000002850000-0x0000000002868000-memory.dmp	healer
behavioral1/memory/4884-47-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-45-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-43-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-41-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-39-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-37-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-49-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-35-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-33-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-32-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-29-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-27-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-25-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-24-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/4884-22-0x0000000002850000-0x0000000002862000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4887.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4887.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4976-61-0x0000000005F60000-0x0000000005FA6000-memory.dmp	family_redline
behavioral1/memory/4976-62-0x0000000006000000-0x0000000006044000-memory.dmp	family_redline
behavioral1/memory/4976-72-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-74-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-70-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-96-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-84-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-68-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-66-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-64-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-63-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-80-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-94-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-92-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-90-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-88-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-86-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-82-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-78-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/4976-76-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un177671.exepro4887.exequ2057.exe

pid process

4664 un177671.exe
4884 pro4887.exe
4976 qu2057.exe

pid	process
4664	un177671.exe
4884	pro4887.exe
4976	qu2057.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4887.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4887.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exeun177671.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un177671.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3572 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4972 4884 WerFault.exe pro4887.exe

pid	process
3572	sc.exe

pid	pid_target	process	target process
4972	4884	WerFault.exe	pro4887.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exeun177671.exepro4887.exequ2057.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un177671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2057.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4887.exe

pid process

4884 pro4887.exe
4884 pro4887.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4887.exequ2057.exe

description pid process

Token: SeDebugPrivilege 4884 pro4887.exe
Token: SeDebugPrivilege 4976 qu2057.exe

pid	process
4884	pro4887.exe
4884	pro4887.exe

description	pid	process
Token: SeDebugPrivilege	4884	pro4887.exe
Token: SeDebugPrivilege	4976	qu2057.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exeun177671.exe

description	pid	process	target process
PID 456 wrote to memory of 4664	456	9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe	un177671.exe
PID 456 wrote to memory of 4664	456	9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe	un177671.exe
PID 456 wrote to memory of 4664	456	9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe	un177671.exe
PID 4664 wrote to memory of 4884	4664	un177671.exe	pro4887.exe
PID 4664 wrote to memory of 4884	4664	un177671.exe	pro4887.exe
PID 4664 wrote to memory of 4884	4664	un177671.exe	pro4887.exe
PID 4664 wrote to memory of 4976	4664	un177671.exe	qu2057.exe
PID 4664 wrote to memory of 4976	4664	un177671.exe	qu2057.exe
PID 4664 wrote to memory of 4976	4664	un177671.exe	qu2057.exe

C:\Users\Admin\AppData\Local\Temp\9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe
"C:\Users\Admin\AppData\Local\Temp\9928f5a985d264627aa84b5156fe31c92e0c4d501c0d7f0220ba2f53812e6769.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177671.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177671.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4887.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4887.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1084
4⤵
- Program crash
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2057.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2057.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4884 -ip 4884
1⤵
PID:3144

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177671.exe

Filesize
547KB

MD5
e18d3d263dac21e19965cb18bb8978c3

SHA1
d489461e5530703047a93bf19f10ec74bf180a19

SHA256
e61533439bc18c4124dad11fc298a7f04844951a5c77a7858eefe00500ab3c55

SHA512
a2b4f96a3118fa69b44ae93e20aa7ae0cfb5ce5e29c9f63ea25d49a17d5230613183ff996f4fa81f115f65bfec8e646cc494b1a9e79ed2aeccf22c582c88a9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4887.exe

Filesize
291KB

MD5
04eaeb86846ae5186e5793eba44c2e96

SHA1
85c516adda296a3487bd83d3d5c6d5a646d8f933

SHA256
3ec63e62f6a2f1f8d1b3ca62be6ab9ae985a569dfe51a2a21cb3390968a94fed

SHA512
483d62b48393cdd79f4579b569a96ebf764ae6cac70647db3069c495811cb587c4c62028ed7f5e0b07470488d03e7ad521ea196c43f3408cbc3dcfc56b1b7563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2057.exe

Filesize
345KB

MD5
65e90b5716d69afea5c8d6d543913369

SHA1
127f49df8b775c11c7d2881eb076fb317869cc05

SHA256
6e7561d6e121b6bf4eb842818b122965f07f9b10ba2030334dcc7bca7abd2c78

SHA512
9108e1b424c406054b78dea1b89cbebfb12fee4f10384e2040429bb8b87a2302d49f660b8c094af49c6e179b5972b4db1f048530af269c1e81cd7fb6876d9bde

Download Submit
memory/4884-15-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/4884-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-16-0x00000000007F0000-0x000000000081D000-memory.dmp

Filesize
180KB

Download
memory/4884-18-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4884-19-0x00000000026B0000-0x00000000026CA000-memory.dmp

Filesize
104KB

Download
memory/4884-20-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/4884-21-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/4884-47-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-45-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-43-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-41-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-39-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-37-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-49-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-35-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-33-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-32-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-29-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-27-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-25-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-24-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-22-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/4884-50-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/4884-51-0x00000000007F0000-0x000000000081D000-memory.dmp

Filesize
180KB

Download
memory/4884-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-55-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4976-61-0x0000000005F60000-0x0000000005FA6000-memory.dmp

Filesize
280KB

Download
memory/4976-62-0x0000000006000000-0x0000000006044000-memory.dmp

Filesize
272KB

Download
memory/4976-72-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-74-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-70-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-96-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-84-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-68-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-66-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-64-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-63-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-80-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-94-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-92-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-90-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-88-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-86-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-82-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-78-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-76-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/4976-969-0x0000000006660000-0x0000000006C78000-memory.dmp

Filesize
6.1MB

Download
memory/4976-970-0x0000000006D00000-0x0000000006E0A000-memory.dmp

Filesize
1.0MB

Download
memory/4976-971-0x0000000006E40000-0x0000000006E52000-memory.dmp

Filesize
72KB

Download
memory/4976-972-0x0000000006E60000-0x0000000006E9C000-memory.dmp

Filesize
240KB

Download
memory/4976-973-0x0000000006FB0000-0x0000000006FFC000-memory.dmp

Filesize
304KB

Download