healer | 62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe
Size

684KB
MD5

9cedecac80429e4e2548899236e2a3fd
SHA1

ee3e85c72236b246220178803b67fdd12e454808
SHA256

62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5
SHA512

eb5cf75655c7ce10089a87731f40c97d29eb7a9c8f05a27b5dfd79f6f798805c68b59b1f08e10dc3fa27f6fc07bfaa2dd0a8a4c635a9abcf0c1937e6c6eb1453
SSDEEP

12288:uMrMy90qgkP6CWn2yMjfirWFLz73eMiWgXSLOZKwB2OQ0qVks+6B:+y4h1MjZLHetrrN2OQ0qVr

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c7f-12.dat	healer
behavioral1/memory/3060-15-0x0000000000EC0000-0x0000000000ECA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr825588.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr825588.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr825588.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr825588.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr825588.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr825588.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1116-2105-0x0000000005750000-0x0000000005782000-memory.dmp	family_redline
behavioral1/files/0x0008000000023c7a-2110.dat	family_redline
behavioral1/memory/5672-2118-0x0000000000EC0000-0x0000000000EF0000-memory.dmp	family_redline
behavioral1/files/0x0007000000023c7d-2128.dat	family_redline
behavioral1/memory/6088-2129-0x0000000000300000-0x000000000032E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ku594362.exe

Executes dropped EXE 5 IoCs

pid	Process
3792	ziyO9688.exe
3060	jr825588.exe
1116	ku594362.exe
5672	1.exe
6088	lr591939.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr825588.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziyO9688.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4944	1116	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lr591939.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziyO9688.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku594362.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3060	jr825588.exe
3060	jr825588.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	jr825588.exe
Token: SeDebugPrivilege	1116	ku594362.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3792	4736	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe	84
PID 4736 wrote to memory of 3792	4736	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe	84
PID 4736 wrote to memory of 3792	4736	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe	84
PID 3792 wrote to memory of 3060	3792	ziyO9688.exe	86
PID 3792 wrote to memory of 3060	3792	ziyO9688.exe	86
PID 3792 wrote to memory of 1116	3792	ziyO9688.exe	96
PID 3792 wrote to memory of 1116	3792	ziyO9688.exe	96
PID 3792 wrote to memory of 1116	3792	ziyO9688.exe	96
PID 1116 wrote to memory of 5672	1116	ku594362.exe	97
PID 1116 wrote to memory of 5672	1116	ku594362.exe	97
PID 1116 wrote to memory of 5672	1116	ku594362.exe	97
PID 4736 wrote to memory of 6088	4736	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe	102
PID 4736 wrote to memory of 6088	4736	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe	102
PID 4736 wrote to memory of 6088	4736	62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe	102

C:\Users\Admin\AppData\Local\Temp\62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe
"C:\Users\Admin\AppData\Local\Temp\62917ac66abdd9be003f44d7fe9e753cc4206594922eb49ee27ee0c80bc31bd5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyO9688.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyO9688.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr825588.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr825588.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594362.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594362.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1464
      4⤵
      Program crash
      PID:4944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr591939.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr591939.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1116 -ip 1116
1⤵
PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr591939.exe

Filesize
169KB

MD5
ac399733950c2126fdfe98af8194e59c

SHA1
06a24ecfcd56a23194009e1b307208e64e692ede

SHA256
2f395f538a789e26922ac6afba50f0da22bf3282a047c8c2757a5907d8fcc5d9

SHA512
5d875792da66d8393ad5c168254d9c6466b92b9c57698828a41abed8442204c24409e6c0cea822f5ff1f71d17b1131fa37862cca0e2a1dea68e47b103a675a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyO9688.exe

Filesize
529KB

MD5
b9fa5defacf10ee00ecbec8bc2739348

SHA1
c6e8d6dff4aa6731eeb7d1074ad08f8e53d2eff3

SHA256
14a9cb23c505cb8d73288443944ade402df86805921fff4d45468dfedf4caa1f

SHA512
af83ab48b103ccf623cc9136ce26ef18e1f01c81feb9738348c579b2f854a9bfb1e637d756bf4f5bfeaa07bf179ce18b8b9f40d934031e62b3ff447f82020bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr825588.exe

Filesize
12KB

MD5
8aebcf014a7e2895abbfed7d935f8dc6

SHA1
dca9e83155232ed61582503d134c4af104b36f49

SHA256
329325fe79f93b385d9bfc5f6dadef38ca9e2bf2a5d88a48ada602b2ae939c2e

SHA512
79bcaeb94b6bd7b5c2aad824b5ed865905430679b468ef2d64e3140448898725ac7189eb71c4a1b8b619292157254920783a514f384b2a8730dc7ab81f7e7838

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594362.exe

Filesize
495KB

MD5
ded28a1f67edb71f234d96615f54090d

SHA1
cf66d37524609cae6cfb4e946bb6e3a1498720b3

SHA256
7208f55b621aedc61c2df18a6804088673d5d52b35d329e6cb1e9e7a29869a45

SHA512
b472194611904d659021a00a28db5e29f48d1bd631f9c14b50cca038097419a3b6810fbc6a346201fbf7e6556d16cbb76eea35419df1df7db78eac4715b629d3

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1116-48-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-86-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-24-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/1116-72-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-76-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-88-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-38-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-84-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-82-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-80-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-74-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-37-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-68-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-66-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-64-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-62-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-60-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-58-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-56-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-54-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-42-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-22-0x00000000029A0000-0x0000000002A06000-memory.dmp

Filesize
408KB

Download
memory/1116-46-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-44-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-50-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-23-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/1116-70-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-34-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-32-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-30-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-79-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-53-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-40-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-28-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-26-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-25-0x0000000005530000-0x000000000558F000-memory.dmp

Filesize
380KB

Download
memory/1116-2105-0x0000000005750000-0x0000000005782000-memory.dmp

Filesize
200KB

Download
memory/3060-14-0x00007FFD64503000-0x00007FFD64505000-memory.dmp

Filesize
8KB

Download
memory/3060-15-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/3060-17-0x00007FFD64503000-0x00007FFD64505000-memory.dmp

Filesize
8KB

Download
memory/5672-2118-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

Filesize
192KB

Download
memory/5672-2119-0x0000000003110000-0x0000000003116000-memory.dmp

Filesize
24KB

Download
memory/5672-2120-0x0000000005E70000-0x0000000006488000-memory.dmp

Filesize
6.1MB

Download
memory/5672-2121-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/5672-2122-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/5672-2123-0x0000000005870000-0x00000000058AC000-memory.dmp

Filesize
240KB

Download
memory/5672-2124-0x00000000058F0000-0x000000000593C000-memory.dmp

Filesize
304KB

Download
memory/6088-2129-0x0000000000300000-0x000000000032E000-memory.dmp

Filesize
184KB

Download
memory/6088-2130-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download