healer | 6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe
Size

926KB
MD5

d79dad8803a11421aa13c5521d2537ef
SHA1

1f3c2c1db0423b10de168c460b60c31fcd03c164
SHA256

6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6
SHA512

3a11a03641da671e84bedce3d28075e5f1c219c7ae936a591a73217d5ae92e1baf8429aa6a8b7e8cc5e22d9d2cca1b16bf6e64cb0447f41a1111188e9f987610
SSDEEP

24576:JyvtTjTC1TlA2h4I61kTCBekAqNme9jjL:8tYTzhj21EY1j

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c8c-19.dat	healer
behavioral1/memory/2308-22-0x0000000000160000-0x000000000016A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it219589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it219589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it219589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it219589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it219589.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it219589.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/4264-2112-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x000e000000023b4e-2117.dat	family_redline
behavioral1/memory/5964-2125-0x0000000000C00000-0x0000000000C30000-memory.dmp	family_redline
behavioral1/memory/2288-2136-0x0000000000430000-0x000000000045E000-memory.dmp	family_redline
behavioral1/files/0x0007000000023c89-2135.dat	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	jr420755.exe

Executes dropped EXE 6 IoCs

pid	Process
3128	zixJ3763.exe
2040	ziQm2710.exe
2308	it219589.exe
4264	jr420755.exe
5964	1.exe
2288	kp304670.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it219589.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zixJ3763.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziQm2710.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	4264	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zixJ3763.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziQm2710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jr420755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kp304670.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	it219589.exe
2308	it219589.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	it219589.exe
Token: SeDebugPrivilege	4264	jr420755.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3128	1312	6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe	84
PID 1312 wrote to memory of 3128	1312	6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe	84
PID 1312 wrote to memory of 3128	1312	6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe	84
PID 3128 wrote to memory of 2040	3128	zixJ3763.exe	85
PID 3128 wrote to memory of 2040	3128	zixJ3763.exe	85
PID 3128 wrote to memory of 2040	3128	zixJ3763.exe	85
PID 2040 wrote to memory of 2308	2040	ziQm2710.exe	87
PID 2040 wrote to memory of 2308	2040	ziQm2710.exe	87
PID 2040 wrote to memory of 4264	2040	ziQm2710.exe	97
PID 2040 wrote to memory of 4264	2040	ziQm2710.exe	97
PID 2040 wrote to memory of 4264	2040	ziQm2710.exe	97
PID 4264 wrote to memory of 5964	4264	jr420755.exe	98
PID 4264 wrote to memory of 5964	4264	jr420755.exe	98
PID 4264 wrote to memory of 5964	4264	jr420755.exe	98
PID 3128 wrote to memory of 2288	3128	zixJ3763.exe	103
PID 3128 wrote to memory of 2288	3128	zixJ3763.exe	103
PID 3128 wrote to memory of 2288	3128	zixJ3763.exe	103

C:\Users\Admin\AppData\Local\Temp\6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe
"C:\Users\Admin\AppData\Local\Temp\6b5d6022f8301ac1c6b39bec445dbe1e087e28d251e9e4560f4545f88798ecb6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixJ3763.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixJ3763.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQm2710.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQm2710.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it219589.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it219589.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr420755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr420755.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 980
        5⤵
        Program crash
        
        PID:2764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp304670.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp304670.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4264 -ip 4264
1⤵
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixJ3763.exe

Filesize
661KB

MD5
a4e7142c6eb2bf89e26a525d049041ad

SHA1
b8c94c0245b57290445403da757e07cebc903e02

SHA256
91a14ef7c5392d220b496508c2464b6354d83984376af2461986945c1c10e707

SHA512
0265d4c6b4b3fc697af3e3bf762a770883bab0ea924d331baa9e28cf06fe8d307096e1130d6b8dc7fce1a6e9da6a78f19f2ce8c0165e8e689b494502e1ac5591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp304670.exe

Filesize
168KB

MD5
17810612b85801a54d066174f0cff5de

SHA1
5286fd4122612ce07cb1d83dfb49513320f14c9c

SHA256
f6636a62bcd5bb5455b1f3c06e1c000c8cfbafb7b3bf02c8af3e90f8c8462e75

SHA512
bc54d21994ce00ef0ee8d41ba818de34ee4cc6061a15f838fcaab002ced77892c20aee270e154a1757205bc0cc4b0352fedc17fed03081bd08e5a162929c83c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQm2710.exe

Filesize
507KB

MD5
bbca3a0290868b4fd8afe7c2235fd387

SHA1
52a44b29e6814e7d3f46e013efeb80bf54abdc2b

SHA256
2205d7f988235a9b2fdadfa9ba12c71c929f9ee8a4ade0cb28eb16bbb71832b0

SHA512
ce96d33b7b842dfe87d1cb9373b8a2ed8179d89f9b0d36a0826eb303a9a87507d60ead66a721be92e36ba02dedf3f691b9b00f030a463f7f06f3a2d972af29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it219589.exe

Filesize
15KB

MD5
708db524f7c5476647fb60d1deffc0ea

SHA1
e4d8951d5b1d2fcf0a8ab014369c102ab9a8e615

SHA256
9fe5bbd7f2c529714f5d47544a55e82e87d4580ac7107e4057ce862c4729e811

SHA512
6a1acc37296ffde30474af6acc706b993c2a6f01b7a7e1bccbce07e216490929c0a6bdaaa5c9c3a7676d1bbe29eb7c86a7cb6cdcb381d8c77c0bf408b4a24310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr420755.exe

Filesize
426KB

MD5
bfe92b7fe0c298e8d8ca9fbd98d65be5

SHA1
10ffb0cb48706fcb8960c3db9b31ee0f9a78dea6

SHA256
14e4ad79523a5b67cc48891fe4c1083ed61d226fe81e5dd2fccf0b53ab614bb5

SHA512
c2e195285ec4c05d64bc13ee0861d8ea13100c6df748ec6af7d896c2334eba897fb758b462f60455b29233b0ef764c5ae010e0e8117048cb027b0478ace6d529

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2288-2136-0x0000000000430000-0x000000000045E000-memory.dmp

Filesize
184KB

Download
memory/2288-2137-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/2308-21-0x00007FF8E7AC3000-0x00007FF8E7AC5000-memory.dmp

Filesize
8KB

Download
memory/2308-22-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2308-23-0x00007FF8E7AC3000-0x00007FF8E7AC5000-memory.dmp

Filesize
8KB

Download
memory/4264-71-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-55-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-31-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/4264-37-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-61-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-95-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-93-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-91-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-87-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-85-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-83-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-81-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-79-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-77-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-73-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-29-0x0000000004AB0000-0x0000000004B16000-memory.dmp

Filesize
408KB

Download
memory/4264-69-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-65-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-63-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-59-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-57-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-30-0x0000000004C80000-0x0000000005224000-memory.dmp

Filesize
5.6MB

Download
memory/4264-53-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-51-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-49-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-47-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-45-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-43-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-41-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-39-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-89-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-75-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-67-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-35-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-33-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-32-0x0000000005230000-0x000000000528F000-memory.dmp

Filesize
380KB

Download
memory/4264-2112-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/5964-2125-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/5964-2126-0x0000000002D20000-0x0000000002D26000-memory.dmp

Filesize
24KB

Download
memory/5964-2127-0x0000000005BE0000-0x00000000061F8000-memory.dmp

Filesize
6.1MB

Download
memory/5964-2128-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/5964-2129-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/5964-2130-0x0000000005600000-0x000000000563C000-memory.dmp

Filesize
240KB

Download
memory/5964-2131-0x0000000005640000-0x000000000568C000-memory.dmp

Filesize
304KB

Download