healer | 917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe
Size

1.1MB
MD5

72c44ef7fb651961268a9cfbe3bf6e69
SHA1

6b3718b3c4b26586550d52d7b1b12e2eda7847de
SHA256

917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca
SHA512

503d5ff31dcbeddfc8e5c3c007978dc46ecee4251a8359da7f9cecda596cd0178d6f15b858a8c73048aaad79576f106dbeaa06298486ea8eaeac86b17b1179a7
SSDEEP

24576:2yPvXwok7OfJwoMoULY3ZneI9VHpKzCetBsBM/8rt:FPvXwokSfJwoMoUwnv9VJKzSBNr

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3740-23-0x00000000025C0000-0x00000000025DA000-memory.dmp	healer
behavioral1/memory/3740-25-0x0000000004DA0000-0x0000000004DB8000-memory.dmp	healer
behavioral1/memory/3740-53-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-51-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer
behavioral1/memory/3740-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr756773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr756773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr756773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr756773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr756773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr756773.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/964-62-0x00000000024C0000-0x00000000024FC000-memory.dmp	family_redline
behavioral1/memory/964-63-0x0000000002950000-0x000000000298A000-memory.dmp	family_redline
behavioral1/memory/964-77-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-75-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-97-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-95-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-93-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-91-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-89-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-88-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-85-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-83-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-81-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-79-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-73-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-72-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-69-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-67-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-65-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline
behavioral1/memory/964-64-0x0000000002950000-0x0000000002985000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4568	un584559.exe
1180	un385151.exe
3740	pr756773.exe
964	qu118242.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr756773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr756773.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un584559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un385151.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4408	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	3740	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un584559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un385151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr756773.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu118242.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	pr756773.exe
3740	pr756773.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	pr756773.exe
Token: SeDebugPrivilege	964	qu118242.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4568	4852	917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe	83
PID 4852 wrote to memory of 4568	4852	917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe	83
PID 4852 wrote to memory of 4568	4852	917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe	83
PID 4568 wrote to memory of 1180	4568	un584559.exe	84
PID 4568 wrote to memory of 1180	4568	un584559.exe	84
PID 4568 wrote to memory of 1180	4568	un584559.exe	84
PID 1180 wrote to memory of 3740	1180	un385151.exe	85
PID 1180 wrote to memory of 3740	1180	un385151.exe	85
PID 1180 wrote to memory of 3740	1180	un385151.exe	85
PID 1180 wrote to memory of 964	1180	un385151.exe	100
PID 1180 wrote to memory of 964	1180	un385151.exe	100
PID 1180 wrote to memory of 964	1180	un385151.exe	100

C:\Users\Admin\AppData\Local\Temp\917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe
"C:\Users\Admin\AppData\Local\Temp\917e788334c71d23250e15a9d05633251b07a3970a9783271296793087e7c9ca.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un584559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un584559.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un385151.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un385151.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr756773.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr756773.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1076
        5⤵
        Program crash
        
        PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu118242.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu118242.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3740 -ip 3740
1⤵
PID:2168

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un584559.exe

Filesize
764KB

MD5
79033d968e5bdf548b8b8e8e5487341f

SHA1
a2654ecc0a41332b49ee6388d21b9a1bcf80e7a2

SHA256
81ae3ee2f5c747f898508b96aafb58826900f429e40ba5c71f50ba49b79d6881

SHA512
3868b4964a6273b874cb1796def366b1e4b1f90066ffd5d971aeb9ad82356aa54bf83d8d72b8563423a05323394bfd8124279842aa73d0a894720802d3785a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un385151.exe

Filesize
609KB

MD5
76c3536b9d4132ead008e8f05e638100

SHA1
590cccf6ca438bec50787a817b2ec080e2040ea8

SHA256
02a48f1aa43bce71751df6084fec3f66bf6c284b676147430f671f6cde4f868d

SHA512
a84e8271b107d333e69b0b0256d6b4add15b09e66c09258f852aa3f09a35dccaf78d003c139e1ba0da5a2d1e5dde9d54d1177ff2fb5f30e6e53423a30cd592a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr756773.exe

Filesize
406KB

MD5
ca2b2855fe1b2e3ba6d788465d4f6888

SHA1
a10aa0671a9d585bc127d707d594f7184785d782

SHA256
080da4ce007253efa694e35aa731d59bfe78b99fb39dc237eb9d1c00c650088d

SHA512
5ea4506ae1d91d8a275c2d82a00f92c189a99f88c86493d71e1be0fd53ea26e87fff775d0a20c150a4762c62a0f2de719a8ad0de06a32c7dbec5258fb8e11532

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu118242.exe

Filesize
487KB

MD5
96d3290f921fdb5824f589343090f463

SHA1
1d5555140b4cdf4f5a7f8e20563a0d391f4dcb89

SHA256
f0f9827d1d84ba075c3db5ee0f59ad5fd2196813a7b410fee78c735000ec712b

SHA512
32d10ef5e3d228ec663fdd4afa298bdd0bddee6c2c71194063b35498c87acc5e52e600c3b89ab14dbced5b2fc8b8acbdbc4b1c0b17bd6127ffca5adbdbdea2b7

Download Submit
memory/964-73-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-83-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-857-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/964-856-0x00000000079A0000-0x0000000007FB8000-memory.dmp

Filesize
6.1MB

Download
memory/964-64-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-65-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-67-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-69-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-859-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/964-72-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-75-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-79-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-81-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-858-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/964-85-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-88-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-89-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-91-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-93-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-95-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-97-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/964-860-0x00000000049B0000-0x00000000049FC000-memory.dmp

Filesize
304KB

Download
memory/964-62-0x00000000024C0000-0x00000000024FC000-memory.dmp

Filesize
240KB

Download
memory/964-63-0x0000000002950000-0x000000000298A000-memory.dmp

Filesize
232KB

Download
memory/964-77-0x0000000002950000-0x0000000002985000-memory.dmp

Filesize
212KB

Download
memory/3740-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-57-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3740-54-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3740-55-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/3740-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-51-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-53-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3740-25-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

Filesize
96KB

Download
memory/3740-24-0x0000000004E80000-0x0000000005424000-memory.dmp

Filesize
5.6MB

Download
memory/3740-23-0x00000000025C0000-0x00000000025DA000-memory.dmp

Filesize
104KB

Download
memory/3740-22-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download