healer | 69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe
Size

965KB
MD5

d67eb88f2bb0f318bd64ef0b8ac75a38
SHA1

9fd983c0006fdfe90a514fec6240f0ed797963c7
SHA256

69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890
SHA512

104f511e6d2a284e263386a2c6b1bdf481e737d5db757172d709ce8664019e585b660e9503a90caff772a60a8a3ccf6c612cb58cd64aba365fe58def9df51433
SSDEEP

12288:uy90AK5rPy1AZt+vrLWQOY+ThDxwy/hEZtF/rgrviUwOqozEr7Hy3rcIsrPhzdf/:uya/2DLW2+LKZjtUw9VeQIsrJZfR9n

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/868-22-0x0000000004830000-0x000000000484A000-memory.dmp	healer
behavioral1/memory/868-24-0x0000000004CD0000-0x0000000004CE8000-memory.dmp	healer
behavioral1/memory/868-25-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-32-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-52-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-50-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-48-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-46-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-44-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-43-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-40-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-38-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-36-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-34-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-30-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-28-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer
behavioral1/memory/868-26-0x0000000004CD0000-0x0000000004CE2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr794926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr794926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr794926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr794926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr794926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr794926.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4692-60-0x0000000007150000-0x000000000718C000-memory.dmp	family_redline
behavioral1/memory/4692-61-0x0000000007790000-0x00000000077CA000-memory.dmp	family_redline
behavioral1/memory/4692-65-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-63-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-62-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-71-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-69-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-67-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-85-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-73-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-95-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-93-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-91-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-89-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-87-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-83-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-81-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-79-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-77-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4692-75-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4452	un368258.exe
3692	un607255.exe
868	pr794926.exe
4692	qu885969.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr794926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr794926.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un368258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un607255.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	868	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un368258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un607255.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr794926.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu885969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	pr794926.exe
868	pr794926.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	pr794926.exe
Token: SeDebugPrivilege	4692	qu885969.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4452	4408	69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe	83
PID 4408 wrote to memory of 4452	4408	69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe	83
PID 4408 wrote to memory of 4452	4408	69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe	83
PID 4452 wrote to memory of 3692	4452	un368258.exe	84
PID 4452 wrote to memory of 3692	4452	un368258.exe	84
PID 4452 wrote to memory of 3692	4452	un368258.exe	84
PID 3692 wrote to memory of 868	3692	un607255.exe	85
PID 3692 wrote to memory of 868	3692	un607255.exe	85
PID 3692 wrote to memory of 868	3692	un607255.exe	85
PID 3692 wrote to memory of 4692	3692	un607255.exe	99
PID 3692 wrote to memory of 4692	3692	un607255.exe	99
PID 3692 wrote to memory of 4692	3692	un607255.exe	99

C:\Users\Admin\AppData\Local\Temp\69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe
"C:\Users\Admin\AppData\Local\Temp\69f2d744e05d587724219d24131a597687f53215da22e471d7ec2690e44ca890.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368258.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368258.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un607255.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un607255.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr794926.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr794926.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1084
        5⤵
        Program crash
        
        PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885969.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885969.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368258.exe

Filesize
706KB

MD5
1d3da5131c27fc1d55ba6b86c68edd60

SHA1
aaf74c8ad76624e3c641f0b2c1623148e205ab22

SHA256
e4e17beaa69b12f4b82c413ae4565927cef6313ad227f0064a10babd7b9cf865

SHA512
8bf733e880bb8ee6e91ba5937bf836b4a01003ca6939a27220d891dbe6152d3fae2096fea03c1b0464d5d2faaacd6bca1cc53d2d8824f2ce1348b6d965723c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un607255.exe

Filesize
552KB

MD5
926830ec84daf60792cd12d358327b58

SHA1
5cfd0679f17b105e9285abbeeb2a2358df742317

SHA256
825f5d1c8b0b14eef27f77aa8785482c6e85894e215211658b0412a398037fa7

SHA512
a86dcd35b0352a2ddb37268ea26f97181eff58423cae4f85c654f49da6ecf256a285c04306c587224eef9e6a0b01933fd56fbc589ee2feed68774418ebdd77f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr794926.exe

Filesize
299KB

MD5
1cab00fc270ade2f742bbd55a1156b99

SHA1
7723fca27eef0d8f48ed070eceaf2f9d3d627065

SHA256
841e108972b6ff615bf705d2d0db4fbe5a2da64c1b9bbf2b12dbc9dba13b8846

SHA512
293dd1e32e32959109a3d78b3e1ffc01d02c9a6fa1db3421027ef67b4f35335ad1dabd444c450208ce55cd35cf900d715afce421ac90394019dbfbc25de48884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu885969.exe

Filesize
381KB

MD5
2ac6a5414f2a2b36f693aceb9ebf6591

SHA1
b26626ea23cf17ac2ad7a5af2be4eb7104a0c5dd

SHA256
6104138b348002481cbcb0f135ada8c52564ba36b82674505a35229b426c4323

SHA512
11898af750dbfc9d5745b92f8284920d4574b3a524d10d0e696698a699a9d505cb72e4343d562b6aa3c34f666ced253b90ba03601cf26000d23cd4b24086abde

Download Submit
memory/868-44-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-43-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-25-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-32-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-52-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-50-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-48-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-46-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-23-0x0000000007330000-0x00000000078D4000-memory.dmp

Filesize
5.6MB

Download
memory/868-24-0x0000000004CD0000-0x0000000004CE8000-memory.dmp

Filesize
96KB

Download
memory/868-40-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-38-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-36-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-34-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-30-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-28-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-26-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/868-53-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/868-22-0x0000000004830000-0x000000000484A000-memory.dmp

Filesize
104KB

Download
memory/868-55-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/4692-60-0x0000000007150000-0x000000000718C000-memory.dmp

Filesize
240KB

Download
memory/4692-61-0x0000000007790000-0x00000000077CA000-memory.dmp

Filesize
232KB

Download
memory/4692-65-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-63-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-62-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-71-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-69-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-67-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-85-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-73-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-95-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-93-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-91-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-89-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-87-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-83-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-81-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-79-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-77-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-75-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4692-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

Filesize
6.1MB

Download
memory/4692-855-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/4692-856-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/4692-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

Filesize
240KB

Download
memory/4692-858-0x0000000004A30000-0x0000000004A7C000-memory.dmp

Filesize
304KB

Download