healer | c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe
Size

650KB
MD5

75b9c4623eaa1eb15468169d2d4e8caf
SHA1

1e751af01507ffb09359620de40e5a91e1543107
SHA256

c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff
SHA512

798afb902d2081db5adb15daab7b583c5491cdf080d3a1c1ea246b51de9e14a065b982a4959ceb5bbbb7efc7bbb571f5fc1a02c4ce2dd47bbe61218fc40f872d
SSDEEP

12288:RMrLy90PkL1ZHvOudTdW5bQpTqu9/KO7zlu3OUaoG+puR6uV9p2wi1:WyKiZPOu6qGu9/KO7Ju3Ovuu4uV9gw6

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr662617.exe	healer
behavioral1/memory/4400-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr662617.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr662617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr662617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr662617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr662617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr662617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr662617.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2076-2104-0x00000000053F0000-0x0000000005422000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/3452-2117-0x0000000000FE0000-0x0000000001010000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr077072.exe	family_redline
behavioral1/memory/4772-2128-0x0000000000C10000-0x0000000000C3E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ku173940.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ku173940.exe

Executes dropped EXE 5 IoCs

Processes:

ziPR5271.exejr662617.exeku173940.exe1.exelr077072.exe

pid process

4768 ziPR5271.exe
4400 jr662617.exe
2076 ku173940.exe
3452 1.exe
4772 lr077072.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr662617.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr662617.exe

pid	process
4768	ziPR5271.exe
4400	jr662617.exe
2076	ku173940.exe
3452	1.exe
4772	lr077072.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr662617.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exeziPR5271.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziPR5271.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4160 2076 WerFault.exe ku173940.exe

pid	pid_target	process	target process
4160	2076	WerFault.exe	ku173940.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ziPR5271.exeku173940.exe1.exelr077072.exec6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziPR5271.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku173940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lr077072.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr662617.exe

pid process

4400 jr662617.exe
4400 jr662617.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr662617.exeku173940.exe

description pid process

Token: SeDebugPrivilege 4400 jr662617.exe
Token: SeDebugPrivilege 2076 ku173940.exe

pid	process
4400	jr662617.exe
4400	jr662617.exe

description	pid	process
Token: SeDebugPrivilege	4400	jr662617.exe
Token: SeDebugPrivilege	2076	ku173940.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exeziPR5271.exeku173940.exe

description	pid	process	target process
PID 1008 wrote to memory of 4768	1008	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe	ziPR5271.exe
PID 1008 wrote to memory of 4768	1008	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe	ziPR5271.exe
PID 1008 wrote to memory of 4768	1008	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe	ziPR5271.exe
PID 4768 wrote to memory of 4400	4768	ziPR5271.exe	jr662617.exe
PID 4768 wrote to memory of 4400	4768	ziPR5271.exe	jr662617.exe
PID 4768 wrote to memory of 2076	4768	ziPR5271.exe	ku173940.exe
PID 4768 wrote to memory of 2076	4768	ziPR5271.exe	ku173940.exe
PID 4768 wrote to memory of 2076	4768	ziPR5271.exe	ku173940.exe
PID 2076 wrote to memory of 3452	2076	ku173940.exe	1.exe
PID 2076 wrote to memory of 3452	2076	ku173940.exe	1.exe
PID 2076 wrote to memory of 3452	2076	ku173940.exe	1.exe
PID 1008 wrote to memory of 4772	1008	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe	lr077072.exe
PID 1008 wrote to memory of 4772	1008	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe	lr077072.exe
PID 1008 wrote to memory of 4772	1008	c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe	lr077072.exe

C:\Users\Admin\AppData\Local\Temp\c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe
"C:\Users\Admin\AppData\Local\Temp\c6aa60bfd0c38562a3a6eae2abf81cce568a458672ea6cbadb2e7a95bb6a88ff.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPR5271.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPR5271.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr662617.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr662617.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku173940.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku173940.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1380
4⤵
- Program crash
PID:4160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr077072.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr077072.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2076 -ip 2076
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr077072.exe

Filesize
168KB

MD5
6a52fd0bca2155e42bfb77df179795be

SHA1
5ed870b71bc5f15c6ef305c12caa05a13b4cc255

SHA256
58807425d52e013c445e63dad8fb901419453719178ca205148949b99c28225e

SHA512
a53c0905ed6cd08b489621be43d7de3d0b0b2ffb3bd438d240d5d0fcd8dc85361def7dbefee19230502ae04dc5c11a15d18ee109903946e700918beb729c4adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPR5271.exe

Filesize
496KB

MD5
93b956e03a19d1051a1de79fb93a8e12

SHA1
02be0093f8f99219ad5c69181cdda694c6efb529

SHA256
ba098961869a365ca43ec970db08b023e7d11e072f57bcc8a10bbf0e667cbcec

SHA512
8ef4676d443e7c88e0c024cb5d2f192051e53507a034edd029e3231003f4383ca47eaa2ff407040cbda363026ee816d71e0811f4e8012b47f1a8299b8fd57c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr662617.exe

Filesize
12KB

MD5
a63ca8bcc22734dafa3a74cfb22590ea

SHA1
d2353525bba1ded4a507b34fe2565419fce88fdf

SHA256
caf98673d6bc4146dff938277ebaf8dfbdbba396094bdf2e392ec94f9011b0f1

SHA512
f81526bbadcedb035e9237ad88e71200e8ca33da80b948a3eddea2bf45d6ed4fa03e831925dd57053a5fc699976912f6210c87c08e6bfe1a32413b53f014bdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku173940.exe

Filesize
414KB

MD5
ff048fd5be97929b404724824e74a7cf

SHA1
57b60e944a4101cf11a4277349bc13a8aac11d1a

SHA256
763c2f3c0745f532b2b254431c61e436b3ccfc9140c1a237871c129ec5c2bbcf

SHA512
b7e59688f7f0c10bdf3405237930b5b91c2b7cb54904c23eb99f774db294c182605c49183e26269fdf0bf52643b3e754f072f6c0e702b28fef54eac9c9825217

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2076-21-0x0000000002410000-0x0000000002476000-memory.dmp

Filesize
408KB

Download
memory/2076-22-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/2076-23-0x00000000026B0000-0x0000000002716000-memory.dmp

Filesize
408KB

Download
memory/2076-38-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-45-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-87-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-85-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-83-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-81-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-79-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-77-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-75-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-73-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-69-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-67-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-65-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-63-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-61-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-59-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-57-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-53-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-51-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-49-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-47-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-43-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-41-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-39-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-35-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-33-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-31-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-29-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-27-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-71-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-55-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-25-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-24-0x00000000026B0000-0x000000000270F000-memory.dmp

Filesize
380KB

Download
memory/2076-2104-0x00000000053F0000-0x0000000005422000-memory.dmp

Filesize
200KB

Download
memory/3452-2117-0x0000000000FE0000-0x0000000001010000-memory.dmp

Filesize
192KB

Download
memory/3452-2118-0x00000000058B0000-0x00000000058B6000-memory.dmp

Filesize
24KB

Download
memory/3452-2119-0x0000000006020000-0x0000000006638000-memory.dmp

Filesize
6.1MB

Download
memory/3452-2120-0x0000000005B60000-0x0000000005C6A000-memory.dmp

Filesize
1.0MB

Download
memory/3452-2121-0x0000000005A90000-0x0000000005AA2000-memory.dmp

Filesize
72KB

Download
memory/3452-2122-0x0000000005AF0000-0x0000000005B2C000-memory.dmp

Filesize
240KB

Download
memory/3452-2123-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/4400-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/4400-14-0x00007FFDDE2C3000-0x00007FFDDE2C5000-memory.dmp

Filesize
8KB

Download
memory/4772-2128-0x0000000000C10000-0x0000000000C3E000-memory.dmp

Filesize
184KB

Download
memory/4772-2129-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download