healer | 7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe
Size

698KB
MD5

191fbcef3292dc4e1c44f2be68bb7fdc
SHA1

106f9f290f822ddb8c5205c9aa36d80ab1bbbe97
SHA256

7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7
SHA512

39d808c8dcf29fd574e7a4d02e880340bc66094d6d7d4c4dc199453d63ce22dfe54ba6ebcb3097734e87d45d7803b3b1f614c3029b8e9d367479fdbc371371dd
SSDEEP

12288:3y90Cxkl8rNT2fUqnt5zOlo3lWt9L9WwUIvjogG7aVtLBtWO2c:3yLxaGaUqnKmAt9LHMd7aDzH2c

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3164-18-0x0000000004A90000-0x0000000004AAA000-memory.dmp	healer
behavioral1/memory/3164-20-0x0000000004CE0000-0x0000000004CF8000-memory.dmp	healer
behavioral1/memory/3164-36-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-46-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-44-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-42-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-41-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-38-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-34-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-32-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-28-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-26-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-24-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-22-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-21-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-30-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer
behavioral1/memory/3164-48-0x0000000004CE0000-0x0000000004CF2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr667489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr667489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr667489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr667489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr667489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr667489.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3268-60-0x0000000004B20000-0x0000000004B5C000-memory.dmp	family_redline
behavioral1/memory/3268-61-0x00000000070A0000-0x00000000070DA000-memory.dmp	family_redline
behavioral1/memory/3268-75-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-79-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-95-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-91-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-89-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-87-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-85-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-83-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-82-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-77-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-73-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-71-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-93-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-69-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-67-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-65-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-63-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline
behavioral1/memory/3268-62-0x00000000070A0000-0x00000000070D5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4056	un694962.exe
3164	pr667489.exe
3268	qu690901.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr667489.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr667489.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un694962.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1668	3164	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu690901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un694962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr667489.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	pr667489.exe
3164	pr667489.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	pr667489.exe
Token: SeDebugPrivilege	3268	qu690901.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4056	3456	7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe	84
PID 3456 wrote to memory of 4056	3456	7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe	84
PID 3456 wrote to memory of 4056	3456	7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe	84
PID 4056 wrote to memory of 3164	4056	un694962.exe	85
PID 4056 wrote to memory of 3164	4056	un694962.exe	85
PID 4056 wrote to memory of 3164	4056	un694962.exe	85
PID 4056 wrote to memory of 3268	4056	un694962.exe	95
PID 4056 wrote to memory of 3268	4056	un694962.exe	95
PID 4056 wrote to memory of 3268	4056	un694962.exe	95

C:\Users\Admin\AppData\Local\Temp\7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe
"C:\Users\Admin\AppData\Local\Temp\7c5d2d30b0dc6929f93245cd7ce41fc262589c6debe02484ee0e4591c946e4c7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un694962.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un694962.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr667489.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr667489.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1080
      4⤵
      Program crash
      PID:1668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu690901.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu690901.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3164 -ip 3164
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un694962.exe

Filesize
543KB

MD5
6e5f6e771811753fb83664b5c4a9150b

SHA1
5b400f267ec4376411a00a44f1127191a925e5af

SHA256
39bc84d8afd191e9ca9747a10ad6ffdec4c41e235ef7cf7b06e4f3e4e60ebf8a

SHA512
c92d4ef0ae37cd921b0707dc487904f5ad6563df76180c7a99c273dddce2acf5721de0e9eddebb16dd65ceb01461f1c4b9cc34dfbdd59040383c17f2bd92c5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr667489.exe

Filesize
269KB

MD5
f76808ab59dc4249cd1423d8f5669eb5

SHA1
9b621db9415c2edf8e8324abd1f9b18ebf3a1452

SHA256
0576bb428eb9fce5924651e5b6c0341fee74f39787b9738397a9f6de31c75452

SHA512
d29383a56e34eb69ec7d9147d0a4fa2976e88823c4b3d4352976df1e2774aac64b5e8c0d5e45818981fa324fe6ad8cde3f7f89d9f39784148ee655a876dc8700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu690901.exe

Filesize
352KB

MD5
a597907399aa925179d4923ac1594417

SHA1
8a2b76dc0339150c68c061eaf75d5854ab8eb657

SHA256
47fdc386ea561e01554b8474e6324c78614cca551471b2627c7d53546e640982

SHA512
ac29c7a9a8d70cdddddf0644e67325a8e8ab4c31012e217d5e13cf8560426f977842644e30f2408ef9a78ccb25ecd0481e4084feaec0e7daff0fff8101e93bdd

Download Submit
memory/3164-15-0x0000000002BF0000-0x0000000002CF0000-memory.dmp

Filesize
1024KB

Download
memory/3164-16-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/3164-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3164-18-0x0000000004A90000-0x0000000004AAA000-memory.dmp

Filesize
104KB

Download
memory/3164-19-0x0000000007390000-0x0000000007934000-memory.dmp

Filesize
5.6MB

Download
memory/3164-20-0x0000000004CE0000-0x0000000004CF8000-memory.dmp

Filesize
96KB

Download
memory/3164-36-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-46-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-44-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-42-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-41-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-38-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-34-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-32-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-28-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-26-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-24-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-22-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-21-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-30-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-48-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/3164-49-0x0000000002BF0000-0x0000000002CF0000-memory.dmp

Filesize
1024KB

Download
memory/3164-51-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/3164-50-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/3164-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3164-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3164-54-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/3268-60-0x0000000004B20000-0x0000000004B5C000-memory.dmp

Filesize
240KB

Download
memory/3268-61-0x00000000070A0000-0x00000000070DA000-memory.dmp

Filesize
232KB

Download
memory/3268-75-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-79-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-95-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-91-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-89-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-87-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-85-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-83-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-82-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-77-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-73-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-71-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-93-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-69-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-67-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-65-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-63-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-62-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/3268-854-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

Filesize
6.1MB

Download
memory/3268-855-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/3268-856-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/3268-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/3268-858-0x0000000006B90000-0x0000000006BDC000-memory.dmp

Filesize
304KB

Download