healer | 501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe
Size

521KB
MD5

90782a3f887582202f3418c5a60a2c70
SHA1

3fb7420d78dfed9819dbd98527a3130a206ae937
SHA256

501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70
SHA512

cdfa2705b46f27ddb86ff89c1222d4e72c9e2f193e48ef95ba8acc8c34d729bea64cfb1563d208f48926d59f2129fd343525e67cccfddb310035ca4cb521883a
SSDEEP

12288:tMrsy90Bi8USGftu6pS3EF3itvZsfrLiCAJfESqemT:ByTSGFu643Jthsf6CARE5e2

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr778374.exe	healer
behavioral1/memory/3376-15-0x00000000003D0000-0x00000000003DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr778374.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr778374.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr778374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr778374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr778374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr778374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr778374.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/452-22-0x0000000002480000-0x00000000024C6000-memory.dmp	family_redline
behavioral1/memory/452-24-0x0000000002640000-0x0000000002684000-memory.dmp	family_redline
behavioral1/memory/452-56-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-80-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-88-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-86-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-84-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-82-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-78-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-76-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-74-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-72-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-70-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-68-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-66-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-64-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-62-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-60-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-58-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-54-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-52-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-50-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-48-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-46-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-42-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-40-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-38-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-36-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-34-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-30-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-44-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-32-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-28-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-26-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline
behavioral1/memory/452-25-0x0000000002640000-0x000000000267F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zigP8965.exejr778374.exeku715916.exe

pid process

4404 zigP8965.exe
3376 jr778374.exe
452 ku715916.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr778374.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr778374.exe

pid	process
4404	zigP8965.exe
3376	jr778374.exe
452	ku715916.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr778374.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zigP8965.exe501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zigP8965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5624 sc.exe

pid	process
5624	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exezigP8965.exeku715916.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zigP8965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku715916.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr778374.exe

pid process

3376 jr778374.exe
3376 jr778374.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr778374.exeku715916.exe

description pid process

Token: SeDebugPrivilege 3376 jr778374.exe
Token: SeDebugPrivilege 452 ku715916.exe

pid	process
3376	jr778374.exe
3376	jr778374.exe

description	pid	process
Token: SeDebugPrivilege	3376	jr778374.exe
Token: SeDebugPrivilege	452	ku715916.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exezigP8965.exe

description	pid	process	target process
PID 4904 wrote to memory of 4404	4904	501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe	zigP8965.exe
PID 4904 wrote to memory of 4404	4904	501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe	zigP8965.exe
PID 4904 wrote to memory of 4404	4904	501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe	zigP8965.exe
PID 4404 wrote to memory of 3376	4404	zigP8965.exe	jr778374.exe
PID 4404 wrote to memory of 3376	4404	zigP8965.exe	jr778374.exe
PID 4404 wrote to memory of 452	4404	zigP8965.exe	ku715916.exe
PID 4404 wrote to memory of 452	4404	zigP8965.exe	ku715916.exe
PID 4404 wrote to memory of 452	4404	zigP8965.exe	ku715916.exe

C:\Users\Admin\AppData\Local\Temp\501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe
"C:\Users\Admin\AppData\Local\Temp\501c37190eea6726ec02efaff84269a1af838c6fced1089f361a01be386ded70.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigP8965.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigP8965.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr778374.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr778374.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715916.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715916.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigP8965.exe

Filesize
379KB

MD5
e379aed32b2b9ba2a79a298c1d8675a1

SHA1
774efcdac3652809ef2fd029da889cf553aebfe6

SHA256
f472d44be176a9290eb63eb899051264c532977966b13ec2fd5e9cdbab4415a3

SHA512
9a68b7974a84cd1143bef4ff863deaca23fe800f0d4a64dd6bf3a7df9c85c1cc988bf94d4a9e3a58b13840354e554e60b648ad09e896ddcae1226ba085d34a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr778374.exe

Filesize
15KB

MD5
a5755cca0f4eb44beec742c32d9e9f7f

SHA1
e2a4a88cecd700764ad76f255d443877b4160d21

SHA256
33c81cba1f9e003e2421990425161514bbeebf8f6109d0f51fa356265396a1c4

SHA512
319a50cad46553ea16e7dab22ab215256d62998de15a626ea3a6654cc103610a34c8e9a94af96b13e35d55a289c179723cb9680377ce1da6ae1fac906863fe9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715916.exe

Filesize
295KB

MD5
e4d5cba4996af25e05ea8aae1eb79bff

SHA1
5537936a1717ec029c5306aa11b84583383a57e9

SHA256
27c4ce3523d3b451a254937fa432ddf53d8c634cd91fd6b715a39352700b37a7

SHA512
c2578ab8f29ff80c13fef123dcd96097b5a17c7dae0540744078e665fc7cde1a9f3c16130948cb7b95dfa3455bfbbe42c1d50f1e4105a836f23d87c1432f3f67

Download Submit
memory/452-64-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-22-0x0000000002480000-0x00000000024C6000-memory.dmp

Filesize
280KB

Download
memory/452-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/452-60-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-23-0x0000000004D20000-0x00000000052C4000-memory.dmp

Filesize
5.6MB

Download
memory/452-24-0x0000000002640000-0x0000000002684000-memory.dmp

Filesize
272KB

Download
memory/452-56-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-80-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-88-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-86-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-62-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-82-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-58-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-76-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-74-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-72-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-70-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-68-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-66-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-934-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/452-84-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-933-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/452-78-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-54-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-52-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-50-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-48-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-46-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-42-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-40-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-38-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-36-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-34-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-30-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-44-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-32-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-28-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-26-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-25-0x0000000002640000-0x000000000267F000-memory.dmp

Filesize
252KB

Download
memory/452-931-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/452-932-0x0000000004BB0000-0x0000000004CBA000-memory.dmp

Filesize
1.0MB

Download
memory/3376-16-0x00007FFE2DBC3000-0x00007FFE2DBC5000-memory.dmp

Filesize
8KB

Download
memory/3376-14-0x00007FFE2DBC3000-0x00007FFE2DBC5000-memory.dmp

Filesize
8KB

Download
memory/3376-15-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download