healer | fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe
Size

685KB
MD5

57ec7ad57bc263bf7fa6639544ac19d5
SHA1

e1b1b2369394a7c233fa3e7c535e95d7ec97e022
SHA256

fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276
SHA512

7553c36b6953dd49714192bc3b4b9e0b32f2e623fe20f3056d2eb42080b9d30522002754749fd5b33edc93643a278c33e56b618a8f224ed8ef7ff6361f2c43c3
SSDEEP

12288:PMr+y90XFO5r7EOY1RGBG5O9854+I/wbyuDQzG2xXNLL3dsoU5Sr7Yk46jL:py6Fa701sX/GvDcPFmjSrf46X

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740490.exe	healer
behavioral1/memory/976-15-0x0000000000250000-0x000000000025A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr740490.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr740490.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr740490.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr740490.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr740490.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr740490.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr740490.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-2105-0x00000000029D0000-0x0000000002A02000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/1688-2118-0x0000000000490000-0x00000000004C0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr096053.exe	family_redline
behavioral1/memory/5788-2129-0x0000000000930000-0x000000000095E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ku766107.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ku766107.exe

Executes dropped EXE 5 IoCs

Processes:

ziLS2134.exejr740490.exeku766107.exe1.exelr096053.exe

pid process

4036 ziLS2134.exe
976 jr740490.exe
1956 ku766107.exe
1688 1.exe
5788 lr096053.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr740490.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr740490.exe

pid	process
4036	ziLS2134.exe
976	jr740490.exe
1956	ku766107.exe
1688	1.exe
5788	lr096053.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr740490.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exeziLS2134.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziLS2134.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5296 1956 WerFault.exe ku766107.exe

pid	pid_target	process	target process
5296	1956	WerFault.exe	ku766107.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ziLS2134.exeku766107.exe1.exelr096053.exefdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziLS2134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku766107.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lr096053.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr740490.exe

pid process

976 jr740490.exe
976 jr740490.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr740490.exeku766107.exe

description pid process

Token: SeDebugPrivilege 976 jr740490.exe
Token: SeDebugPrivilege 1956 ku766107.exe

pid	process
976	jr740490.exe
976	jr740490.exe

description	pid	process
Token: SeDebugPrivilege	976	jr740490.exe
Token: SeDebugPrivilege	1956	ku766107.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exeziLS2134.exeku766107.exe

description	pid	process	target process
PID 1444 wrote to memory of 4036	1444	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe	ziLS2134.exe
PID 1444 wrote to memory of 4036	1444	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe	ziLS2134.exe
PID 1444 wrote to memory of 4036	1444	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe	ziLS2134.exe
PID 4036 wrote to memory of 976	4036	ziLS2134.exe	jr740490.exe
PID 4036 wrote to memory of 976	4036	ziLS2134.exe	jr740490.exe
PID 4036 wrote to memory of 1956	4036	ziLS2134.exe	ku766107.exe
PID 4036 wrote to memory of 1956	4036	ziLS2134.exe	ku766107.exe
PID 4036 wrote to memory of 1956	4036	ziLS2134.exe	ku766107.exe
PID 1956 wrote to memory of 1688	1956	ku766107.exe	1.exe
PID 1956 wrote to memory of 1688	1956	ku766107.exe	1.exe
PID 1956 wrote to memory of 1688	1956	ku766107.exe	1.exe
PID 1444 wrote to memory of 5788	1444	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe	lr096053.exe
PID 1444 wrote to memory of 5788	1444	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe	lr096053.exe
PID 1444 wrote to memory of 5788	1444	fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe	lr096053.exe

C:\Users\Admin\AppData\Local\Temp\fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe
"C:\Users\Admin\AppData\Local\Temp\fdee4771c45e840b3250ec197399bb32b9bfd9b42d45af11cb0bc4c5aca69276.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLS2134.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLS2134.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740490.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740490.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku766107.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku766107.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1540
4⤵
- Program crash
PID:5296

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr096053.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr096053.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr096053.exe

Filesize
169KB

MD5
d728a4a2a468aea18f3a77aa1794cd79

SHA1
a6be10bb86e91812d58d44c38233133117385bbd

SHA256
ce15d1ab81896558daa19f82638cdb8744634bd320beaafe501148afedcb8840

SHA512
fea810e143fc107ec3bc6e6c27f776e558a8a7ec486194e817ed58f2b581e48a52c5cd6d132c5467517e3025db267a8396dbaa9f66e770c1f04e02f6485a8e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLS2134.exe

Filesize
530KB

MD5
c24bd9ff547aed61a705a568f6b290ba

SHA1
208347e9eaf0e84235f97be88b466ec5ba8395c8

SHA256
4d8b534f66e2ba3a21484774d58544cff9565496c43a60b513f5704b962b6b2c

SHA512
71da2682ecceb16ee207e79546492d96d9c77c28bce1827455f9001ad5908712d211ed2de8f20dc6ade60989278219e008d10fb8dfbd9db1d893dd5558abc362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740490.exe

Filesize
12KB

MD5
fc56636fddc5c673739b0cf925673a16

SHA1
28d53d1d3dd551259d8282ccc77be730e5e606a9

SHA256
d5e4e1d81dbf406aa88340e79ff7f26e0025de877349a1e76e4423c78db6172f

SHA512
d812af388946cc2cc90afb75877ae5b50586de452e0161556fcb1dee8cd90417616c0a491cfc38fcbc02bd51ca0db16d73146d31dd322a10a5284569d01a537f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku766107.exe

Filesize
495KB

MD5
82b0cd5b1eb1d71a070b2ecbfaa50418

SHA1
42b44e066d085173af5ebffa5e55b2bad7a5d987

SHA256
e6ca3f8960401da537e2a5c9c7fdbc13744fe4c9da925ae8e6798cf021cf9f68

SHA512
29ea8138b0e7b462bfba3a817a212da7313a5f0b01a25dc054c0b29beb65ae3b8f7b9c8ef3e0c87bc69a26f481903413c1a9d422439fc77468818a1dfb549b46

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/976-17-0x00007FF9DC1E3000-0x00007FF9DC1E5000-memory.dmp

Filesize
8KB

Download
memory/976-15-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/976-14-0x00007FF9DC1E3000-0x00007FF9DC1E5000-memory.dmp

Filesize
8KB

Download
memory/1688-2118-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/1688-2119-0x00000000024F0000-0x00000000024F6000-memory.dmp

Filesize
24KB

Download
memory/1688-2120-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/1688-2124-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

Filesize
304KB

Download
memory/1688-2123-0x0000000004E70000-0x0000000004EAC000-memory.dmp

Filesize
240KB

Download
memory/1688-2122-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/1688-2121-0x0000000004F40000-0x000000000504A000-memory.dmp

Filesize
1.0MB

Download
memory/1956-64-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-44-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-82-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-80-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-78-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-76-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-74-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-72-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-70-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-68-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-66-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-88-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-60-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-58-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-56-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-54-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-52-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-50-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-48-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-86-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-40-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-38-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-37-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-34-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-32-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-84-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-62-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-46-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-42-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-30-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-24-0x0000000002910000-0x0000000002976000-memory.dmp

Filesize
408KB

Download
memory/1956-23-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/1956-22-0x0000000002740000-0x00000000027A6000-memory.dmp

Filesize
408KB

Download
memory/1956-28-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-26-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-25-0x0000000002910000-0x000000000296F000-memory.dmp

Filesize
380KB

Download
memory/1956-2105-0x00000000029D0000-0x0000000002A02000-memory.dmp

Filesize
200KB

Download
memory/5788-2129-0x0000000000930000-0x000000000095E000-memory.dmp

Filesize
184KB

Download
memory/5788-2130-0x0000000002C00000-0x0000000002C06000-memory.dmp

Filesize
24KB

Download