healer | 9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe
Size

683KB
MD5

179496f6bf718c1fd78dca23686929d5
SHA1

3c22ba99b6230f290f454fc53e11460be88d2b98
SHA256

9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a
SHA512

0ddf8883140bc0c40af0e5c8823662b6a6f641db3607ea09bcdefce3da09a02adcce5b7f1db0e13219f759bebf33252ae623f30d81993d5e913830321880b398
SSDEEP

12288:zMrty90fpXGvpMAhS6UfGDju1rfK2EY0gNaKLxRRg3PrR4bW6OTnOyXs:qyGepMAhnUfYjUDuKLxRATCCNs

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4080-18-0x0000000004830000-0x000000000484A000-memory.dmp	healer
behavioral1/memory/4080-20-0x00000000076D0000-0x00000000076E8000-memory.dmp	healer
behavioral1/memory/4080-21-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-48-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-46-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-44-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-42-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-40-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-38-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-36-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-34-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-33-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-30-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-28-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-26-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-24-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer
behavioral1/memory/4080-22-0x00000000076D0000-0x00000000076E2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro7667.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7667.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1608-60-0x0000000004960000-0x00000000049A6000-memory.dmp	family_redline
behavioral1/memory/1608-61-0x0000000004D20000-0x0000000004D64000-memory.dmp	family_redline
behavioral1/memory/1608-92-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-95-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-93-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-89-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-87-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-85-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-83-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-81-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-79-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-77-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-75-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-73-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-71-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-67-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-65-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-69-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-63-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/1608-62-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un671056.exepro7667.exequ3599.exe

pid process

3508 un671056.exe
4080 pro7667.exe
1608 qu3599.exe

pid	process
3508	un671056.exe
4080	pro7667.exe
1608	qu3599.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro7667.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7667.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exeun671056.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un671056.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1844 4080 WerFault.exe pro7667.exe

pid	pid_target	process	target process
1844	4080	WerFault.exe	pro7667.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exeun671056.exepro7667.exequ3599.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un671056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro7667.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu3599.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro7667.exe

pid process

4080 pro7667.exe
4080 pro7667.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro7667.exequ3599.exe

description pid process

Token: SeDebugPrivilege 4080 pro7667.exe
Token: SeDebugPrivilege 1608 qu3599.exe

pid	process
4080	pro7667.exe
4080	pro7667.exe

description	pid	process
Token: SeDebugPrivilege	4080	pro7667.exe
Token: SeDebugPrivilege	1608	qu3599.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exeun671056.exe

description	pid	process	target process
PID 5020 wrote to memory of 3508	5020	9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe	un671056.exe
PID 5020 wrote to memory of 3508	5020	9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe	un671056.exe
PID 5020 wrote to memory of 3508	5020	9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe	un671056.exe
PID 3508 wrote to memory of 4080	3508	un671056.exe	pro7667.exe
PID 3508 wrote to memory of 4080	3508	un671056.exe	pro7667.exe
PID 3508 wrote to memory of 4080	3508	un671056.exe	pro7667.exe
PID 3508 wrote to memory of 1608	3508	un671056.exe	qu3599.exe
PID 3508 wrote to memory of 1608	3508	un671056.exe	qu3599.exe
PID 3508 wrote to memory of 1608	3508	un671056.exe	qu3599.exe

C:\Users\Admin\AppData\Local\Temp\9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe
"C:\Users\Admin\AppData\Local\Temp\9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un671056.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un671056.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7667.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7667.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1080
4⤵
- Program crash
PID:1844

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3599.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3599.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4080 -ip 4080
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un671056.exe

Filesize
541KB

MD5
011aa4e83ebaaaf0466ee6853ba947b2

SHA1
cd42f1f74b6e108465c7dae35b1f3974b0e935de

SHA256
a649b878fe510aa9359129b218e41ab6c80b174f92f7a6616638a37980686f9f

SHA512
614f5ee2bdb053b7dd3be4be0db29b97555c0815450bdf8ffaf4455a42954c2e6133428428aa1e4b4b6352d05036b7901a6bcb332aeadd4cb66413b5364d28e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7667.exe

Filesize
322KB

MD5
68ae9285487a0d47fa0f5f55ccabe50a

SHA1
a3e5f837c518b3a865b5680411babc435dd0b12a

SHA256
dc36e162e0b2c9f1633c0b5b9ed456159ce35949700df419e72e05d346d56221

SHA512
a5b2c2eb02427ec9e7b20763cba7403a98794b4acce49278a716a90e928ff4c7726aaf0eed373f3108948a5a5202fb6e1c66a6917d5b89fecf110a651a790235

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3599.exe

Filesize
379KB

MD5
e7f4711115b12911621bae1dd8f196ad

SHA1
62f5682fe9b015a0c3daf33bf4cc3e2f75b7373f

SHA256
7ffe42c50ed6fce1454cda1bbaca8de887287bdaa4932713b76a9e05ec607d6a

SHA512
6c25dae3081067357cddd4f7f2643060515655deed11213f419a1fb6b08005e59c4d1360b018a0befde74a3ba88e450dc5b1b5e3a251d234e3697b31f744d420

Download Submit
memory/1608-73-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-77-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-969-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/1608-968-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/1608-62-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-63-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-69-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-65-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-67-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-71-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-971-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/1608-972-0x0000000008250000-0x000000000829C000-memory.dmp

Filesize
304KB

Download
memory/1608-75-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-970-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/1608-79-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-81-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-83-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-85-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-87-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-89-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-93-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-95-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-92-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/1608-61-0x0000000004D20000-0x0000000004D64000-memory.dmp

Filesize
272KB

Download
memory/1608-60-0x0000000004960000-0x00000000049A6000-memory.dmp

Filesize
280KB

Download
memory/4080-40-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4080-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4080-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-50-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4080-49-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/4080-22-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-24-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-26-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-28-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-30-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-33-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-34-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-36-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-38-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-42-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-44-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-46-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-48-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-21-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4080-20-0x00000000076D0000-0x00000000076E8000-memory.dmp

Filesize
96KB

Download
memory/4080-19-0x00000000070C0000-0x0000000007664000-memory.dmp

Filesize
5.6MB

Download
memory/4080-18-0x0000000004830000-0x000000000484A000-memory.dmp

Filesize
104KB

Download
memory/4080-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-16-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4080-15-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download