healer | d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe
Size

706KB
MD5

57974201e32e9063f4a9691b0f86a62c
SHA1

00417f075256c4fc244e3cea0bf963e3c3b52b0e
SHA256

d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46
SHA512

21c8416c11b803a7027b316e29c8665b3256c0e7c196e47d53b4d02fb3fc4ea61ae99a63610aafa0c2be3919f0a8f63d7b52fb27ea50bb4bd7ea8dbf579dce5d
SSDEEP

12288:jy90rozfxbH47bnmRmuGtx6tfgFfi2TjItshrsdg212oyzP/u9F6EMO6:jyoKxkbnmrf1UjI0gZ1hyK9gE+

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4996-18-0x00000000030F0000-0x000000000310A000-memory.dmp	healer
behavioral1/memory/4996-20-0x0000000004B00000-0x0000000004B18000-memory.dmp	healer
behavioral1/memory/4996-36-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-48-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-46-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-44-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-42-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-40-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-38-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-32-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-30-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-28-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-26-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-24-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-22-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-21-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer
behavioral1/memory/4996-34-0x0000000004B00000-0x0000000004B12000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr036887.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr036887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr036887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr036887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr036887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr036887.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3440-60-0x0000000004890000-0x00000000048CC000-memory.dmp	family_redline
behavioral1/memory/3440-61-0x0000000007780000-0x00000000077BA000-memory.dmp	family_redline
behavioral1/memory/3440-75-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-83-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-93-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-91-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-89-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-87-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-81-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-79-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-77-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-73-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-71-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-69-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-67-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-95-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-85-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-65-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-63-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline
behavioral1/memory/3440-62-0x0000000007780000-0x00000000077B5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4948	un277750.exe
4996	pr036887.exe
3440	qu983213.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr036887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr036887.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un277750.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4136	4996	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un277750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr036887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu983213.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	pr036887.exe
4996	pr036887.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	pr036887.exe
Token: SeDebugPrivilege	3440	qu983213.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4948	3792	d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe	83
PID 3792 wrote to memory of 4948	3792	d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe	83
PID 3792 wrote to memory of 4948	3792	d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe	83
PID 4948 wrote to memory of 4996	4948	un277750.exe	84
PID 4948 wrote to memory of 4996	4948	un277750.exe	84
PID 4948 wrote to memory of 4996	4948	un277750.exe	84
PID 4948 wrote to memory of 3440	4948	un277750.exe	100
PID 4948 wrote to memory of 3440	4948	un277750.exe	100
PID 4948 wrote to memory of 3440	4948	un277750.exe	100

C:\Users\Admin\AppData\Local\Temp\d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe
"C:\Users\Admin\AppData\Local\Temp\d7ffda5a10b05ed1c7a031e971cc178c7c572120d385252adb84c68bfe44bf46.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un277750.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un277750.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr036887.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr036887.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1092
      4⤵
      Program crash
      PID:4136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu983213.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu983213.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4996 -ip 4996
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un277750.exe

Filesize
551KB

MD5
3a7c2e7a089436e40df35bf6787b1685

SHA1
d59675fdce13f9c02258411d5eefd3af955f6f4b

SHA256
659887f28a31e14a5ade1a4ea881862487ddd80fa7845e222a8689b353a1a1cd

SHA512
1f179f4091798c8640c1a8004dacd6b669e01abb71f02af3190c0e5891fd76da9608a413ee72fc78eb6a96e5fa68bcaaa6728468f680b9e2778c34a4df3aa848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr036887.exe

Filesize
286KB

MD5
afafb733cf7045ae764dc5d62456624c

SHA1
15b2f806e681ac96b207638c4eb163f9bc9b1946

SHA256
bad12e3fcc63aab6238ff655f0749ee08b619ee137be31b6c715312552f5f724

SHA512
943ed213e68d7b14c042da9e4cc81d5ac1b65ca0d45fe04ceaa08f6b4d7031bb84f8109248d1b1928adf435ce7b0874aef86a37a700adb5e297ef6d05d8d7a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu983213.exe

Filesize
369KB

MD5
8379a94e1e2ce6c528e0328793151a19

SHA1
2bc83cf0b513308ab6add42abd83944c2f9305b3

SHA256
71c46ceb68ec53e599811adadd706c48b38ab7fa221e7182dc4fd2e372724fda

SHA512
83a699cfaa94e82d51de079bdeef2cd3120426f93cc69f94489cb4642ad7e690d43b758515fff0e4c9e681db98da1864ca7109b8135c3f7825e0a475a7123e9d

Download Submit
memory/3440-69-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-73-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-855-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/3440-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

Filesize
6.1MB

Download
memory/3440-62-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-63-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-65-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-85-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-95-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-67-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-857-0x000000000A490000-0x000000000A4CC000-memory.dmp

Filesize
240KB

Download
memory/3440-858-0x0000000004A70000-0x0000000004ABC000-memory.dmp

Filesize
304KB

Download
memory/3440-71-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-856-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/3440-77-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-79-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-81-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-87-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-89-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-91-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-93-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-83-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-75-0x0000000007780000-0x00000000077B5000-memory.dmp

Filesize
212KB

Download
memory/3440-61-0x0000000007780000-0x00000000077BA000-memory.dmp

Filesize
232KB

Download
memory/3440-60-0x0000000004890000-0x00000000048CC000-memory.dmp

Filesize
240KB

Download
memory/4996-40-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-54-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/4996-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-51-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/4996-50-0x0000000002BC0000-0x0000000002BED000-memory.dmp

Filesize
180KB

Download
memory/4996-49-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/4996-34-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-21-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-22-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-24-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-26-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-28-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-30-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-32-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-38-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-42-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-44-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-46-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-48-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-36-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/4996-20-0x0000000004B00000-0x0000000004B18000-memory.dmp

Filesize
96KB

Download
memory/4996-19-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/4996-18-0x00000000030F0000-0x000000000310A000-memory.dmp

Filesize
104KB

Download
memory/4996-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-16-0x0000000002BC0000-0x0000000002BED000-memory.dmp

Filesize
180KB

Download
memory/4996-15-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download