healer | 76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe
Size

560KB
MD5

8850acafdd23444b7546d3c7464a1f52
SHA1

ef642c19dd01d2e35e93d078e6cf325807676dce
SHA256

76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1
SHA512

6a7b3736544e42e7b180d32d64c3912c7c0d9c53ed76c395b288f9685fec6a2c6095783cfbfc52684498b9776fca14482923dd19578625ec27564c55b209d0a4
SSDEEP

12288:bMr4y90lroyshJ4ccyN5O3QZesZYX2USRlcgI:PymjshJ43yPYOeZGRlc7

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr942327.exe	healer
behavioral1/memory/1596-15-0x0000000000950000-0x000000000095A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr942327.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr942327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr942327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr942327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr942327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr942327.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr942327.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3920-22-0x0000000004D80000-0x0000000004DC6000-memory.dmp	family_redline
behavioral1/memory/3920-24-0x0000000005420000-0x0000000005464000-memory.dmp	family_redline
behavioral1/memory/3920-76-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-88-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-86-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-84-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-82-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-80-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-78-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-74-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-73-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-70-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-68-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-66-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-64-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-62-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-60-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-58-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-56-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-54-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-52-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-48-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-46-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-45-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-42-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-41-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-38-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-37-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-34-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-32-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-30-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-28-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-26-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-50-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline
behavioral1/memory/3920-25-0x0000000005420000-0x000000000545F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zieU2634.exejr942327.exeku184787.exe

pid process

3492 zieU2634.exe
1596 jr942327.exe
3920 ku184787.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr942327.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr942327.exe

pid	process
3492	zieU2634.exe
1596	jr942327.exe
3920	ku184787.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr942327.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zieU2634.exe76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zieU2634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exezieU2634.exeku184787.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zieU2634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku184787.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr942327.exe

pid process

1596 jr942327.exe
1596 jr942327.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr942327.exeku184787.exe

description pid process

Token: SeDebugPrivilege 1596 jr942327.exe
Token: SeDebugPrivilege 3920 ku184787.exe

pid	process
1596	jr942327.exe
1596	jr942327.exe

description	pid	process
Token: SeDebugPrivilege	1596	jr942327.exe
Token: SeDebugPrivilege	3920	ku184787.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exezieU2634.exe

description	pid	process	target process
PID 4904 wrote to memory of 3492	4904	76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe	zieU2634.exe
PID 4904 wrote to memory of 3492	4904	76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe	zieU2634.exe
PID 4904 wrote to memory of 3492	4904	76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe	zieU2634.exe
PID 3492 wrote to memory of 1596	3492	zieU2634.exe	jr942327.exe
PID 3492 wrote to memory of 1596	3492	zieU2634.exe	jr942327.exe
PID 3492 wrote to memory of 3920	3492	zieU2634.exe	ku184787.exe
PID 3492 wrote to memory of 3920	3492	zieU2634.exe	ku184787.exe
PID 3492 wrote to memory of 3920	3492	zieU2634.exe	ku184787.exe

C:\Users\Admin\AppData\Local\Temp\76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe
"C:\Users\Admin\AppData\Local\Temp\76505f6f14a51d19846833f3d4d3d2e3d3dd179326256ce8e246c5e6010239e1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieU2634.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieU2634.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr942327.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr942327.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku184787.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku184787.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieU2634.exe

Filesize
407KB

MD5
bbf05622e9b1432fa722fdd25b3ee0cf

SHA1
c5b4eae8311e8a67f209a8bb72487af882de7149

SHA256
fa02af40e0f3e1adceb8de0319822943f5299cf2c00c440e1e5c4e595180f052

SHA512
02464d37ffd4f290b7755878f44e7a8f98aa40d6a43c9e36904342b6a199eefae77bea0f94427613f912f5bc32e31fb7c1caf45621cf901b06d6e0518a7d59ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr942327.exe

Filesize
11KB

MD5
7f701014771a9ef8d06c498b3734cdb4

SHA1
09c5b8d831f3940f1921d8e2cd00f1d464cb47dc

SHA256
b1f5b845cae48b901546620acb31987b7e081242a34b517d31f1589ef1ddb299

SHA512
78af338bc4e9a309d76c43417970ba6c7a4f53fb730739cc118faf04aea7e2c4e69b98b8efdfc4699836fc2f0e8530e47742cf50efe8ca2a1cf066111d4f4d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku184787.exe

Filesize
372KB

MD5
135af7c4f3599a79668e084be5038808

SHA1
a43a3d178815b7ae9a2bb6c0be6926444c24e6de

SHA256
eee0ba093105f2d071e9e002f662a00314f9e730f56ccef40aadaa7b62ea9c59

SHA512
feb9bcc7e05a1913baa54cfbd859e3ccce0bbf1d317df4f4520feb5f95bcc511154cefab90a90844afdb9dddd7ef3f66fd7a324966c6a1397369f6109898e75f

Download Submit
memory/1596-14-0x00007FF81E343000-0x00007FF81E345000-memory.dmp

Filesize
8KB

Download
memory/1596-15-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1596-16-0x00007FF81E343000-0x00007FF81E345000-memory.dmp

Filesize
8KB

Download
memory/3920-62-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-52-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-24-0x0000000005420000-0x0000000005464000-memory.dmp

Filesize
272KB

Download
memory/3920-76-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-88-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-86-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-84-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-82-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-80-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-78-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-74-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-73-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-70-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-68-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-66-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-64-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-22-0x0000000004D80000-0x0000000004DC6000-memory.dmp

Filesize
280KB

Download
memory/3920-60-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-58-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-56-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-54-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-23-0x0000000004E70000-0x0000000005414000-memory.dmp

Filesize
5.6MB

Download
memory/3920-48-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-46-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-45-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-42-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-41-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-38-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-37-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-34-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-32-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-30-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-28-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-26-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-50-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-25-0x0000000005420000-0x000000000545F000-memory.dmp

Filesize
252KB

Download
memory/3920-931-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/3920-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

Filesize
1.0MB

Download
memory/3920-933-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/3920-934-0x0000000005C50000-0x0000000005C8C000-memory.dmp

Filesize
240KB

Download
memory/3920-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download