healer | 3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe
Size

958KB
MD5

babc1ebde733835165ecf4cb6809620a
SHA1

c82aab97d369320b9f441d73221da0d645dbd84d
SHA256

3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564
SHA512

856ff460db30a6e72a444d584a175dfa4a3884209d7406352bdf7ec66e52c7d5e3adac321cb521edf65538b76a687570bf8ec7f785f758d7408773e57d999481
SSDEEP

24576:ZylPvUkr6Awm98vUUZ9MF4xZaLEuSsbkHJW9:MlPsawm98vtZS4xZaxVbAJW

Score

10^/10

healer redline dark discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/4304-2151-0x0000000005860000-0x000000000586A000-memory.dmp	healer
behavioral1/files/0x000c000000023b9e-2156.dat	healer
behavioral1/memory/6388-2164-0x00000000008C0000-0x00000000008CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/6744-4321-0x0000000005760000-0x0000000005792000-memory.dmp	family_redline
behavioral1/files/0x000e000000023bae-4326.dat	family_redline
behavioral1/memory/3316-4328-0x0000000000D70000-0x0000000000DA0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	96220809.exe

Executes dropped EXE 5 IoCs

pid	Process
3320	un286883.exe
4304	96220809.exe
6388	1.exe
6744	rk753461.exe
3316	si994612.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un286883.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6616	4304	WerFault.exe	84
3736	6744	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un286883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96220809.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk753461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si994612.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
6388	1.exe
6388	1.exe
6388	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	96220809.exe
Token: SeDebugPrivilege	6744	rk753461.exe
Token: SeDebugPrivilege	6388	1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3320	2308	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe	83
PID 2308 wrote to memory of 3320	2308	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe	83
PID 2308 wrote to memory of 3320	2308	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe	83
PID 3320 wrote to memory of 4304	3320	un286883.exe	84
PID 3320 wrote to memory of 4304	3320	un286883.exe	84
PID 3320 wrote to memory of 4304	3320	un286883.exe	84
PID 4304 wrote to memory of 6388	4304	96220809.exe	88
PID 4304 wrote to memory of 6388	4304	96220809.exe	88
PID 3320 wrote to memory of 6744	3320	un286883.exe	92
PID 3320 wrote to memory of 6744	3320	un286883.exe	92
PID 3320 wrote to memory of 6744	3320	un286883.exe	92
PID 2308 wrote to memory of 3316	2308	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe	99
PID 2308 wrote to memory of 3316	2308	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe	99
PID 2308 wrote to memory of 3316	2308	3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe	99

C:\Users\Admin\AppData\Local\Temp\3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe
"C:\Users\Admin\AppData\Local\Temp\3ec64d23df85a929a4dbc5aac12d106faa616f05bf0c101d55b847dde1bbb564.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un286883.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un286883.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96220809.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96220809.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1376
      4⤵
      Program crash
      PID:6616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk753461.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk753461.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 1260
      4⤵
      Program crash
      PID:3736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si994612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si994612.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4304 -ip 4304
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6744 -ip 6744
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si994612.exe

Filesize
168KB

MD5
89553294445096f7753810e4731c7872

SHA1
9e69f0232fab5a79bf5d3532134b2f8c12155157

SHA256
6d4d8155891813d11c89f7c7197e9e8a5c1738ce097dbbe6277b274ff49815a8

SHA512
52cf755a404b846c377751ed6942818f1bf940f31d1f268e77b647a9b6e2de6ef503b37f7ef6d4aab160186ea7478c95722676170ebf964ecae6834ef7cfa068

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un286883.exe

Filesize
805KB

MD5
f6120b6feec5459ac190c8857bfe5224

SHA1
1955f2ba7cb7fb08dd5570594ddfdb105e1384f0

SHA256
3994ac096cfae3d29efdbab0eb0871d0ade583eee2f4cde97599f8db33cbae48

SHA512
da7d15cc67908d3f1250b35795356d3e163339dfced9da70247ee0069b6f60a9175b9f1bc2f5437ede5ba48d52b3e93a72f1bc580f894bd892626d33ee573383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96220809.exe

Filesize
479KB

MD5
e2942ac47305d10ab306f10196e8a602

SHA1
affb8533d27d6df79a846cc11559feac809e59a9

SHA256
08b14ac4350cb12db468bdbe1654306466205573d8fc54f2bb1c3fd6a23322ec

SHA512
769f1c8a4ae999449f7c70212d21974b5a5ed1d7920ac306eb0fa5f6d18f5aea8efeb0f76d50bf40367cb440e6b90b8a65222f204ac0fc265d0f2cd4f9e067d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk753461.exe

Filesize
539KB

MD5
73bcf48aad849659ce3ed63ad2257f3a

SHA1
97af0cdaa3812786439f028ef0585d1d2f7df741

SHA256
deaec4f582369bae16dda0e8e1dec2cabeff916cad8e04f4be7acc3a56c50b07

SHA512
2c5b5668f622d249c7a6af35767c7192581d183977670c0c56d658fedf5dc8d1c3b03e14df83dc09ead74cceb36a91b145e69654e9a6778a050b0222a233c899

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/3316-4334-0x00000000057A0000-0x00000000057EC000-memory.dmp

Filesize
304KB

Download
memory/3316-4333-0x0000000005760000-0x000000000579C000-memory.dmp

Filesize
240KB

Download
memory/3316-4332-0x00000000056E0000-0x00000000056F2000-memory.dmp

Filesize
72KB

Download
memory/3316-4331-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/3316-4330-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/3316-4329-0x0000000003140000-0x0000000003146000-memory.dmp

Filesize
24KB

Download
memory/3316-4328-0x0000000000D70000-0x0000000000DA0000-memory.dmp

Filesize
192KB

Download
memory/4304-39-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-25-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-75-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-73-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-71-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-69-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-65-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-63-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-61-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-59-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-57-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-55-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-51-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-49-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-47-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-45-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-43-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-41-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-79-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-37-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-35-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-33-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-31-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-29-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-27-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-77-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-23-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-22-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-67-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-53-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-2150-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/4304-2151-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/4304-83-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-15-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/4304-2166-0x00000000008F0000-0x000000000093C000-memory.dmp

Filesize
304KB

Download
memory/4304-2167-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4304-2168-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4304-85-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-16-0x00000000008F0000-0x000000000093C000-memory.dmp

Filesize
304KB

Download
memory/4304-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4304-18-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4304-19-0x0000000002540000-0x0000000002598000-memory.dmp

Filesize
352KB

Download
memory/4304-81-0x0000000005670000-0x00000000056C1000-memory.dmp

Filesize
324KB

Download
memory/4304-21-0x0000000005670000-0x00000000056C6000-memory.dmp

Filesize
344KB

Download
memory/4304-20-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/6388-2164-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/6744-4322-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/6744-4321-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/6744-2174-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/6744-2173-0x0000000004DC0000-0x0000000004E28000-memory.dmp

Filesize
416KB

Download