healer | 97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe
Size

925KB
MD5

fd50c367db0b1d278823509df83a2d0f
SHA1

945e74256dbba334e25065c83ad39803f2771f60
SHA256

97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93
SHA512

f3bd8618f5ce6a12d87491fc103a2c737320fd5adeef968a1393abdcc531da9751e57f57faad56e13a01dd75f233cc611d9e0ac75d37b58722d1079e3a06e5bc
SSDEEP

24576:vygSTFNCGLliYQ4IF1d119EKq7hQ37/HWFopw:6pTlbQjLdP9EhQjHyq

Score

10^/10

healer redline droz norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

droz

77.91.124.145:4125

Attributes

auth_value
d099adf6dbf6ccb8e16967104280634a

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b8f-19.dat	healer
behavioral1/memory/428-22-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it972337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it972337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it972337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it972337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it972337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it972337.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/4752-2112-0x0000000004E80000-0x0000000004EB2000-memory.dmp	family_redline
behavioral1/files/0x000c000000023b7e-2117.dat	family_redline
behavioral1/memory/432-2125-0x0000000000D80000-0x0000000000DB0000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b8d-2134.dat	family_redline
behavioral1/memory/5572-2136-0x00000000004C0000-0x00000000004EE000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	jr579193.exe

Executes dropped EXE 6 IoCs

pid	Process
872	ziEn5764.exe
1256	ziQL9580.exe
428	it972337.exe
4752	jr579193.exe
432	1.exe
5572	kp440159.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it972337.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziEn5764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziQL9580.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5548	4752	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jr579193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kp440159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziEn5764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziQL9580.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
428	it972337.exe
428	it972337.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	it972337.exe
Token: SeDebugPrivilege	4752	jr579193.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 872	4368	97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe	83
PID 4368 wrote to memory of 872	4368	97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe	83
PID 4368 wrote to memory of 872	4368	97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe	83
PID 872 wrote to memory of 1256	872	ziEn5764.exe	84
PID 872 wrote to memory of 1256	872	ziEn5764.exe	84
PID 872 wrote to memory of 1256	872	ziEn5764.exe	84
PID 1256 wrote to memory of 428	1256	ziQL9580.exe	86
PID 1256 wrote to memory of 428	1256	ziQL9580.exe	86
PID 1256 wrote to memory of 4752	1256	ziQL9580.exe	94
PID 1256 wrote to memory of 4752	1256	ziQL9580.exe	94
PID 1256 wrote to memory of 4752	1256	ziQL9580.exe	94
PID 4752 wrote to memory of 432	4752	jr579193.exe	95
PID 4752 wrote to memory of 432	4752	jr579193.exe	95
PID 4752 wrote to memory of 432	4752	jr579193.exe	95
PID 872 wrote to memory of 5572	872	ziEn5764.exe	99
PID 872 wrote to memory of 5572	872	ziEn5764.exe	99
PID 872 wrote to memory of 5572	872	ziEn5764.exe	99

C:\Users\Admin\AppData\Local\Temp\97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe
"C:\Users\Admin\AppData\Local\Temp\97a175ac51dc654f5fdec7d541de1437b1e941475b5b4b1ae2c9c1528f1c8f93.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEn5764.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEn5764.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQL9580.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQL9580.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it972337.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it972337.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr579193.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr579193.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1516
        5⤵
        Program crash
        
        PID:5548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp440159.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp440159.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4752 -ip 4752
1⤵
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEn5764.exe

Filesize
660KB

MD5
408c88318caafdd1f23a929ee406735d

SHA1
765a6640a8866a1049cc813c3892a9d1ef20cad9

SHA256
dc4df91961591b6e0ffd3b7b51bc49226cf29ad6950426b61d5edb89f90afb26

SHA512
ebf941fefcd96f28ca3e9eb932ab7d4561afd1b4a594f8c8e259f828849c1b45049c97f43f4b3ce4f8e7fd6e14e72c439e8b262d837757ef92b3228903dcd796

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp440159.exe

Filesize
168KB

MD5
590cc0c4cdef2121c4c0823ef7c19ba2

SHA1
f2e1ea06ddf9ff669b9c06663b2865b5f09ed990

SHA256
60cfad8454ef7244081688b95a5281a068bc8ae7583ca465fd4286b49c26baa2

SHA512
7d0e94aeedce8ea260f57f0fb0ade16a543d11c9908ccbc650f6279a04fe1717f43a260e3ad1eb71150427574b61a0201bf38941fb01ab3f46fb0bcaa1f148ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQL9580.exe

Filesize
507KB

MD5
715b8e5cba79f105938e5afcfb03814c

SHA1
941251d7dbd61e2561924894b05050212a11fd2f

SHA256
b87985039d2e4c6651229a3dad4198a316b3eb6b3a7ae755d427ada658ad45e6

SHA512
05fa1cf8aca9f445b81fcccbd8bc82775a123cd55c3f83e5da3dc2f2f72bdffcd61dea275a1d26de5ecc36d423515b2495197911042df4f88849b976997ccdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it972337.exe

Filesize
15KB

MD5
a3dc82e3eb73e3e60dd55339040d9302

SHA1
df1f0ff40c30d3363a929aed5866590ebff65043

SHA256
93ee213a471bd195011351fb252bdcf2069359aa0502f38247b2eac48d399398

SHA512
d0780bdaa72ef562961e19a18af386cbee3d5590dedb428c67f89593a662d0e9cd0b3d9170e34be86d906b904c74303384feb943057b78516d224808b20bfd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr579193.exe

Filesize
426KB

MD5
364efe420cd9c1df169b0849aa67d3e8

SHA1
e098cad1a7683ff074e6f3bd9823a4e20685e320

SHA256
cc78df2bc63b6948842aadecfbbcb3d7ab000bf57de4690276b8279ee1336e91

SHA512
314ada27d40b56cbc93d911fa35422babfb9b8a32bc63a9213976d6f70b998467593a991ee5092c75d54718993f3c7cba26c84fc0b9dfb98d13e11d86a0911ce

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/428-21-0x00007FFA73483000-0x00007FFA73485000-memory.dmp

Filesize
8KB

Download
memory/428-22-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/428-23-0x00007FFA73483000-0x00007FFA73485000-memory.dmp

Filesize
8KB

Download
memory/432-2125-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/432-2127-0x0000000005D50000-0x0000000006368000-memory.dmp

Filesize
6.1MB

Download
memory/432-2126-0x0000000001570000-0x0000000001576000-memory.dmp

Filesize
24KB

Download
memory/432-2131-0x00000000057B0000-0x00000000057FC000-memory.dmp

Filesize
304KB

Download
memory/432-2130-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/432-2129-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/432-2128-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/4752-71-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-49-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-89-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-87-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-85-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-83-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-81-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-79-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-77-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-75-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-95-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-69-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-67-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-65-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-63-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-59-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-57-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-56-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-53-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-93-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-47-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-45-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-43-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-41-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-37-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-91-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-73-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-61-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-51-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-39-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-31-0x0000000002810000-0x0000000002876000-memory.dmp

Filesize
408KB

Download
memory/4752-30-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/4752-29-0x0000000002580000-0x00000000025E6000-memory.dmp

Filesize
408KB

Download
memory/4752-35-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-33-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-32-0x0000000002810000-0x000000000286F000-memory.dmp

Filesize
380KB

Download
memory/4752-2112-0x0000000004E80000-0x0000000004EB2000-memory.dmp

Filesize
200KB

Download
memory/5572-2136-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/5572-2137-0x0000000007130000-0x0000000007136000-memory.dmp

Filesize
24KB

Download