healer | 8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe
Size

660KB
MD5

4827734ae14867b92e5c1995b4b12fca
SHA1

7bef53de0a41ae68245c64cf1eca778f2349bd12
SHA256

8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306
SHA512

3a1df1777f32e2b0dcf77853c9aaf2bd0f5d59098874a04728096574a09741ae84e48f11c7db514d368f34e062bfe74544a6cb9ba64cb03616fb36894f6d1e7c
SSDEEP

12288:lMrSy90UKjgxFF8ysAMZA4GOHXAF2y/ltslDTk7a4zyN+8JSSwt:rypKjy8ysASAROwUy/li+fWsqc

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c75-12.dat	healer
behavioral1/memory/692-15-0x0000000000A80000-0x0000000000A8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr521392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr521392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr521392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr521392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr521392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr521392.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/3276-2105-0x0000000005410000-0x0000000005442000-memory.dmp	family_redline
behavioral1/files/0x000d000000023b48-2111.dat	family_redline
behavioral1/memory/1556-2118-0x0000000000720000-0x0000000000750000-memory.dmp	family_redline
behavioral1/files/0x0007000000023c73-2127.dat	family_redline
behavioral1/memory/4156-2129-0x0000000000370000-0x000000000039E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ku418785.exe

Executes dropped EXE 5 IoCs

pid	Process
2576	ziTy2588.exe
692	jr521392.exe
3276	ku418785.exe
1556	1.exe
4156	lr698450.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr521392.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziTy2588.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	3276	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziTy2588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku418785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lr698450.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
692	jr521392.exe
692	jr521392.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	692	jr521392.exe
Token: SeDebugPrivilege	3276	ku418785.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2576	2520	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe	85
PID 2520 wrote to memory of 2576	2520	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe	85
PID 2520 wrote to memory of 2576	2520	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe	85
PID 2576 wrote to memory of 692	2576	ziTy2588.exe	87
PID 2576 wrote to memory of 692	2576	ziTy2588.exe	87
PID 2576 wrote to memory of 3276	2576	ziTy2588.exe	93
PID 2576 wrote to memory of 3276	2576	ziTy2588.exe	93
PID 2576 wrote to memory of 3276	2576	ziTy2588.exe	93
PID 3276 wrote to memory of 1556	3276	ku418785.exe	94
PID 3276 wrote to memory of 1556	3276	ku418785.exe	94
PID 3276 wrote to memory of 1556	3276	ku418785.exe	94
PID 2520 wrote to memory of 4156	2520	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe	98
PID 2520 wrote to memory of 4156	2520	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe	98
PID 2520 wrote to memory of 4156	2520	8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe	98

C:\Users\Admin\AppData\Local\Temp\8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe
"C:\Users\Admin\AppData\Local\Temp\8638ced33a78e00b623ef0624239c4336f9aa5f11081681702d24103b658a306.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTy2588.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTy2588.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr521392.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr521392.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku418785.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku418785.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1516
      4⤵
      Program crash
      PID:5012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr698450.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr698450.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3276 -ip 3276
1⤵
PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr698450.exe

Filesize
169KB

MD5
947db19f3ace92245954974603aae405

SHA1
6d5006206b2333cf16eb29a6d4c1dd9091ca9ab3

SHA256
d0cd630a5ba0bdbee930bb1623d834aadd410dbd49f2a0f9e48d5334ca0eb9e0

SHA512
851ac0dfc738eb42d6575a6abd0f2ca0af9880cd8822d90ac0326afcaa553091644f292e749f2700f41ec5629c10ae585e2829b4a6978cfed3cec259cd25128b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTy2588.exe

Filesize
506KB

MD5
d12b835c4715a3b6b023456fa5d2d4ea

SHA1
15915fbc8f2c782c07ac6a66efbd58521d3151c0

SHA256
2b7586ce437fd7953ae8b279ed673488cda9c68f7c9821f865226e4bdf88df30

SHA512
573bc4616c183b5163d35dd81fcfef4aedac54a21e1a04577b09dc493b57282fdebb07db1a3ba896d75ac88991ded8eebfebd0ba56e256d228615c825db9c007

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr521392.exe

Filesize
15KB

MD5
77dd646ff3aa19c6168273806a356580

SHA1
923ee72a99500a34eda7f5fa11323a49aed8af99

SHA256
103dd78b46f2dd2a196546148721a68524ba6f5f6d6868618737b163d771d7d8

SHA512
8fc4621f826915e8a5f485c31bdc20ca0c792d158fb27500fded6458d87858e6ef9c8e5fac6db06134763619874c01999f460ed95bbc4d853f71eaaf70e7b01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku418785.exe

Filesize
426KB

MD5
a02447e359dc93adf39edff03bc1b6f1

SHA1
f28c0e9f69b6c00ee0815b161667ea252a09695f

SHA256
0573ceb5085df3744c0f3762726da070b3aca9b30045a02faffbf1adfb6b440f

SHA512
2c40476f2bbce65358c4ced19552bd7ee955f7e524a725f0d7688233c428efce4431cb73df5474ed6f7f4bce40b474837603bd6d74a04fe2baec3c9b52b43aaa

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/692-16-0x00007FFE0A9B3000-0x00007FFE0A9B5000-memory.dmp

Filesize
8KB

Download
memory/692-14-0x00007FFE0A9B3000-0x00007FFE0A9B5000-memory.dmp

Filesize
8KB

Download
memory/692-15-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/1556-2118-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/1556-2119-0x0000000004F40000-0x0000000004F46000-memory.dmp

Filesize
24KB

Download
memory/1556-2120-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/1556-2124-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download
memory/1556-2123-0x0000000005100000-0x000000000513C000-memory.dmp

Filesize
240KB

Download
memory/1556-2122-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/1556-2121-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/3276-62-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-46-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-84-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-80-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-78-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-76-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-74-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-72-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-70-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-66-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-64-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-88-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-60-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-58-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-56-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-54-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-52-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-50-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-48-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-86-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-44-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-42-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-36-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-34-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-32-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-30-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-82-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-69-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-38-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-28-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-24-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/3276-23-0x0000000004C90000-0x0000000005234000-memory.dmp

Filesize
5.6MB

Download
memory/3276-22-0x0000000002650000-0x00000000026B6000-memory.dmp

Filesize
408KB

Download
memory/3276-40-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-26-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-25-0x0000000005240000-0x000000000529F000-memory.dmp

Filesize
380KB

Download
memory/3276-2105-0x0000000005410000-0x0000000005442000-memory.dmp

Filesize
200KB

Download
memory/4156-2129-0x0000000000370000-0x000000000039E000-memory.dmp

Filesize
184KB

Download
memory/4156-2130-0x0000000000A70000-0x0000000000A76000-memory.dmp

Filesize
24KB

Download