healer | 9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe
Size

531KB
MD5

320ae24051db330f1ad05473111e6e13
SHA1

36a9d1a9f9be4548015361032573d2e4336486f9
SHA256

9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8
SHA512

9ac147b53279c22bc1d87d2ec520fe3050dc7592dc7edc152dbfe7ae0320727bdecd5cd5f5011af79a5e979479b45039888c7123b810ee136e4aa8ad0b6ad5ab
SSDEEP

12288:1Mr6y904+S2aEZmqWvqvJFlZ0+jajIQ0qBkP5TQu82nW0zoV5Xu:DyT0AqtBm5sQvK5TQu8gGXu

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca0-12.dat	healer
behavioral1/memory/720-15-0x00000000004E0000-0x00000000004EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr185941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr185941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr185941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr185941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr185941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr185941.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2316-22-0x0000000007090000-0x00000000070D6000-memory.dmp	family_redline
behavioral1/memory/2316-24-0x0000000007160000-0x00000000071A4000-memory.dmp	family_redline
behavioral1/memory/2316-28-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-36-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-88-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-86-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-84-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-82-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-80-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-76-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-72-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-70-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-68-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-66-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-64-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-62-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-60-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-56-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-54-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-52-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-50-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-48-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-46-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-44-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-42-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-38-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-34-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-32-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-30-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-78-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-74-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-58-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-40-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-26-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2316-25-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1500	ziaw5654.exe
720	jr185941.exe
2316	ku525072.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr185941.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziaw5654.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziaw5654.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku525072.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
720	jr185941.exe
720	jr185941.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	jr185941.exe
Token: SeDebugPrivilege	2316	ku525072.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1500	2404	9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe	83
PID 2404 wrote to memory of 1500	2404	9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe	83
PID 2404 wrote to memory of 1500	2404	9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe	83
PID 1500 wrote to memory of 720	1500	ziaw5654.exe	84
PID 1500 wrote to memory of 720	1500	ziaw5654.exe	84
PID 1500 wrote to memory of 2316	1500	ziaw5654.exe	95
PID 1500 wrote to memory of 2316	1500	ziaw5654.exe	95
PID 1500 wrote to memory of 2316	1500	ziaw5654.exe	95

C:\Users\Admin\AppData\Local\Temp\9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe
"C:\Users\Admin\AppData\Local\Temp\9229d4cf4e9de5287e21ef2928b290ae5883088addbfbd435778a4c13332d1b8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaw5654.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaw5654.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr185941.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr185941.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525072.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525072.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziaw5654.exe

Filesize
388KB

MD5
dd8d247d73726cda27da421c717d8f1b

SHA1
8493dd959886d722481f64efbf40f8273433da00

SHA256
5ac6b753a03d3d86393eb459d12c01fa67cd87bbf76f429fcf0d67268937af9b

SHA512
c313681a84d908c2381f7970ac948a425f9e6e6e9380adadf90218467ef6aee33b3809dffe9ab7ecca1a775430a265593caac6c7facbaabc2a0f78533d19bff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr185941.exe

Filesize
11KB

MD5
46b6b202f5d09ecb5d316a4becb1ea12

SHA1
7336cad615db5bbb34f62ef5e028c3f38ac2af3c

SHA256
b10c874c59321a0d2534bb2adbe6a4d8f9eccc64056b7b74c2eb7b50944bec4c

SHA512
919e8aecafe75424cc4182452ab557ca08cc8e8b1bec14876a5b3183da4bb752fc3b5e308040e2c50f5797ba9e9a0e5b1d4222426285df13b2a9d891adc7e93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525072.exe

Filesize
354KB

MD5
b7c3e879a6315e3f97330e0796a35b93

SHA1
a16d63929dbaab10b485dc5a6fca375da8b28909

SHA256
40dbd17b9f350b70cbaae0e1784662433d995e955bb1421647850df379612d1b

SHA512
f3e55fc87f757dd8d3489fa0c8702340be37cd476b1706a0b4888d8181e14d89207706b004b998303cfebaeff90a6b04d8055b0397148a004b28656741f79615

Download Submit
memory/720-14-0x00007FFFC1783000-0x00007FFFC1785000-memory.dmp

Filesize
8KB

Download
memory/720-15-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/720-16-0x00007FFFC1783000-0x00007FFFC1785000-memory.dmp

Filesize
8KB

Download
memory/2316-62-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-50-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-24-0x0000000007160000-0x00000000071A4000-memory.dmp

Filesize
272KB

Download
memory/2316-28-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-36-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-88-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-86-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-84-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-82-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-80-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-76-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-72-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-70-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-68-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-66-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-64-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-22-0x0000000007090000-0x00000000070D6000-memory.dmp

Filesize
280KB

Download
memory/2316-60-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-56-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-54-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-52-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-23-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/2316-48-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-46-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-44-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-42-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-38-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-34-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-32-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-30-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-78-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-74-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-58-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-40-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-26-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-25-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2316-931-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/2316-932-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/2316-933-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/2316-934-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/2316-935-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download