healer | 72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe
Size

1.0MB
MD5

2e4a4edef4a0e51f06bed0efdceb761d
SHA1

d95f4b3460ac7937ee53298e00f658d224dc45f7
SHA256

72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5
SHA512

0ed060a44de593c23e5c127d79e2792a852c7540fa9a21f073cfa78e241c2719d58e69842373c83bbf6cf5d542fa5fb08dbe70f08786c8b2d0c00341229a42c1
SSDEEP

24576:vyt51K4Cmizlin2VuqiytoZv2OkFGBRXBCRy+DtmQ5hRCylvSu55:6hZi5Cyqv2TABp8LBmQ5hIylvx

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3816-23-0x0000000002680000-0x000000000269A000-memory.dmp	healer
behavioral1/memory/3816-25-0x00000000054B0000-0x00000000054C8000-memory.dmp	healer
behavioral1/memory/3816-26-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-47-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-53-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-51-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-49-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-45-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-43-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-41-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-39-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-37-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-35-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-33-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-31-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-29-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer
behavioral1/memory/3816-27-0x00000000054B0000-0x00000000054C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr429597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr429597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr429597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr429597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr429597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr429597.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4756-62-0x00000000026E0000-0x000000000271C000-memory.dmp	family_redline
behavioral1/memory/4756-63-0x0000000002AB0000-0x0000000002AEA000-memory.dmp	family_redline
behavioral1/memory/4756-69-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-75-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-97-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-93-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-91-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-89-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-87-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-85-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-83-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-79-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-77-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-73-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-71-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-95-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-81-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-67-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-65-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline
behavioral1/memory/4756-64-0x0000000002AB0000-0x0000000002AE5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1768	un128477.exe
2928	un980934.exe
3816	pr429597.exe
4756	qu612065.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr429597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr429597.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un128477.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un980934.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
464	3816	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un128477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un980934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr429597.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu612065.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3816	pr429597.exe
3816	pr429597.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	pr429597.exe
Token: SeDebugPrivilege	4756	qu612065.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1768	3532	72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe	83
PID 3532 wrote to memory of 1768	3532	72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe	83
PID 3532 wrote to memory of 1768	3532	72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe	83
PID 1768 wrote to memory of 2928	1768	un128477.exe	85
PID 1768 wrote to memory of 2928	1768	un128477.exe	85
PID 1768 wrote to memory of 2928	1768	un128477.exe	85
PID 2928 wrote to memory of 3816	2928	un980934.exe	86
PID 2928 wrote to memory of 3816	2928	un980934.exe	86
PID 2928 wrote to memory of 3816	2928	un980934.exe	86
PID 2928 wrote to memory of 4756	2928	un980934.exe	100
PID 2928 wrote to memory of 4756	2928	un980934.exe	100
PID 2928 wrote to memory of 4756	2928	un980934.exe	100

C:\Users\Admin\AppData\Local\Temp\72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe
"C:\Users\Admin\AppData\Local\Temp\72efe81f5b86bf24cccaae5bd225ff78bb4bfef553cdb1ec565823cce302b1e5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128477.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128477.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un980934.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un980934.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr429597.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr429597.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1012
        5⤵
        Program crash
        
        PID:464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu612065.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu612065.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3816 -ip 3816
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128477.exe

Filesize
761KB

MD5
0d9c5352795a5c82d17cc4d70453e5c9

SHA1
c3432074b26d61b2a7e333996fac867a449221d9

SHA256
0f5869747ff19568185ba0a8b3b78b69cca0a905ac03abe23984f0a19f586e15

SHA512
befc85372acaef9465770978b4c3c588fee2bf52692ff2cec3179da2d83d0cf0a63aad09f76953126563f0dca9761d8acbb05b74d3c77c8c26f0ae32ed893e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un980934.exe

Filesize
608KB

MD5
2780ba08100f20ed6dea93e29a4a52de

SHA1
c0083748430a5753984d89d79ab1e40206391b41

SHA256
3dfa589948b56953bfbfc46854cf9b4af5c08029038e5e9f983c8327b181ce67

SHA512
e6a56f8b0ed98e4bdc1a3951bc321a3df286b3a4d6d1c5c502130adbea2b3fcb6695f2ccf01e009d02387928f7484b6c0dbbfc543e710dc0ca3d372d454998ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr429597.exe

Filesize
405KB

MD5
b6c8f048d1c3d8cd68db2a29eccaee5f

SHA1
40c2ab25c73d7cbc89f03a8e82d872790fc56589

SHA256
15c0e16781843cc9db6641a5bc581c71100a179c82ad056dfbc74beab272360f

SHA512
c1d4472b61eaa7d0e5f80a7a591b07c4e700fbea026716151b4615a3f2ea3c2c54539b479267eae4edad068947e06e8399c721cec223e9b18878d6a1f5b114f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu612065.exe

Filesize
487KB

MD5
cf1d3cb406fd69cd0a9e03d04954dafe

SHA1
45f34596c122d70dfa8178106811d9aa8c35f580

SHA256
a71a6fa3d937b7d098bd69ba087a40fb9d8d7e88f0c05b169bbf27a49c3bf5ad

SHA512
5ae3c1831661d6de593d723dd98c433d6ff5683cda32f9c0b90332529a18a5b2520a26ee9710610f2e7dad7ee89ec9ce24a28d3fd1c0487ce5c944625d538e81

Download Submit
memory/3816-54-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3816-24-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/3816-25-0x00000000054B0000-0x00000000054C8000-memory.dmp

Filesize
96KB

Download
memory/3816-26-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-47-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-53-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-51-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-49-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-45-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-43-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-41-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-39-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-37-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-35-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-33-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-31-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-29-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-27-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3816-55-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/3816-23-0x0000000002680000-0x000000000269A000-memory.dmp

Filesize
104KB

Download
memory/3816-57-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/3816-22-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/4756-64-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-73-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-93-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-75-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-97-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-69-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-91-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-89-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-87-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-85-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-83-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-79-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-77-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-859-0x0000000002C40000-0x0000000002C7C000-memory.dmp

Filesize
240KB

Download
memory/4756-71-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-95-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-81-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-67-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-65-0x0000000002AB0000-0x0000000002AE5000-memory.dmp

Filesize
212KB

Download
memory/4756-63-0x0000000002AB0000-0x0000000002AEA000-memory.dmp

Filesize
232KB

Download
memory/4756-856-0x0000000007A60000-0x0000000008078000-memory.dmp

Filesize
6.1MB

Download
memory/4756-857-0x0000000002BF0000-0x0000000002C02000-memory.dmp

Filesize
72KB

Download
memory/4756-858-0x0000000008080000-0x000000000818A000-memory.dmp

Filesize
1.0MB

Download
memory/4756-62-0x00000000026E0000-0x000000000271C000-memory.dmp

Filesize
240KB

Download
memory/4756-860-0x00000000028A0000-0x00000000028EC000-memory.dmp

Filesize
304KB

Download