healer | 99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe
Size

706KB
MD5

b333f15f048dcd3718f8ed64168f4b52
SHA1

f382f2cfc1a35e6c3b4a74287e714886acff6e3b
SHA256

99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d
SHA512

8407e775be97b6b3c358a353b1cddcace5ab84dc61f786fbc04952a435de4f9ba17cce5d8d7af6d8f51b9c0a033f704b21474a5b6907a1b5d5432894cd7c63a5
SSDEEP

12288:Iy90mTxQIQkT3gLX3njS/m8l5rzEf2N3qO/867/ce84UXmbB:Iy0BkzSXEblFEf2bB3MmN

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1332-18-0x0000000004B80000-0x0000000004B9A000-memory.dmp	healer
behavioral1/memory/1332-20-0x0000000004E30000-0x0000000004E48000-memory.dmp	healer
behavioral1/memory/1332-22-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-26-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-46-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-44-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-42-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-41-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-38-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-36-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-35-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-33-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-30-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-48-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-28-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-24-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer
behavioral1/memory/1332-21-0x0000000004E30000-0x0000000004E42000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr176131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr176131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr176131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr176131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr176131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr176131.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4928-60-0x0000000007010000-0x000000000704C000-memory.dmp	family_redline
behavioral1/memory/4928-61-0x0000000007790000-0x00000000077CA000-memory.dmp	family_redline
behavioral1/memory/4928-65-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-75-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-95-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-94-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-91-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-89-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-87-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-85-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-84-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-81-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-79-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-77-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-73-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-71-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-69-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-67-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-63-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline
behavioral1/memory/4928-62-0x0000000007790000-0x00000000077C5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4592	un570675.exe
1332	pr176131.exe
4928	qu877589.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr176131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr176131.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un570675.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1140	1332	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un570675.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr176131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu877589.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1332	pr176131.exe
1332	pr176131.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	pr176131.exe
Token: SeDebugPrivilege	4928	qu877589.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4592	1036	99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe	83
PID 1036 wrote to memory of 4592	1036	99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe	83
PID 1036 wrote to memory of 4592	1036	99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe	83
PID 4592 wrote to memory of 1332	4592	un570675.exe	84
PID 4592 wrote to memory of 1332	4592	un570675.exe	84
PID 4592 wrote to memory of 1332	4592	un570675.exe	84
PID 4592 wrote to memory of 4928	4592	un570675.exe	106
PID 4592 wrote to memory of 4928	4592	un570675.exe	106
PID 4592 wrote to memory of 4928	4592	un570675.exe	106

C:\Users\Admin\AppData\Local\Temp\99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe
"C:\Users\Admin\AppData\Local\Temp\99d705782c003dd051efc01425c3a227c08f2354c805266ecd781b08a1a0d05d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un570675.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un570675.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr176131.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr176131.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1084
      4⤵
      Program crash
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu877589.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu877589.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1332 -ip 1332
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un570675.exe

Filesize
552KB

MD5
e7c7df33c5b420eafe0b28041d45ca68

SHA1
dbb54240eacc45144fad0b37549dea048cf941af

SHA256
64d2f73da0c43602847c3c146a1766b709ff903919964c4e4ce8277f0bbbec6b

SHA512
3c43fd36236481fe151f784fcd206c0a9b2c73f93fa61a45b183148b96006164d99d41cdc663ba1850c10a00fdbaeb2bf836a714640efa08151f880f9b7761c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr176131.exe

Filesize
279KB

MD5
c9b6194907766aec794ef8a6b951c994

SHA1
f8febd1d4ed6bae992ea8426245b97949823a060

SHA256
b9847bdb09e5d59aee22d16648d8c628905154ef8900473dc1432bfeb96cf02e

SHA512
04b3f796f2e8c7ebe73028a5d184e1aeea5af8c530848e3037bd7e2948208ea84ac155a293f5f9048cc94630132f1896b420ec0097658546609affbedea0a652

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu877589.exe

Filesize
362KB

MD5
0d081f819c4d8818c5044db5754c6816

SHA1
988599019b530d3c2220e31f5562323c8d9b4af3

SHA256
8a34a854ea5390842a485c17afd7541ce659d285fd2fdc0d7cdce043089e81b2

SHA512
0c7614a122e5150fc3ac1e6ccded0d56bf235711aef548fb7773adb30f56a9d83827e1ca7c0062963679ad85292dc7fd16e94ffe58e109aafb90c48036cd8d79

Download Submit
memory/1332-16-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/1332-15-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/1332-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-18-0x0000000004B80000-0x0000000004B9A000-memory.dmp

Filesize
104KB

Download
memory/1332-19-0x00000000073E0000-0x0000000007984000-memory.dmp

Filesize
5.6MB

Download
memory/1332-20-0x0000000004E30000-0x0000000004E48000-memory.dmp

Filesize
96KB

Download
memory/1332-22-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-26-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-46-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-44-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-42-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-41-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-38-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-36-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-35-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-33-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-30-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-48-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-28-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-24-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-21-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1332-49-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/1332-51-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/1332-50-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1332-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-54-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4928-60-0x0000000007010000-0x000000000704C000-memory.dmp

Filesize
240KB

Download
memory/4928-61-0x0000000007790000-0x00000000077CA000-memory.dmp

Filesize
232KB

Download
memory/4928-65-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-75-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-95-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-94-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-91-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-89-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-87-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-855-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/4928-856-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/4928-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

Filesize
6.1MB

Download
memory/4928-85-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-84-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-81-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-79-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-77-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-73-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-71-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-69-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-67-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-63-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-62-0x0000000007790000-0x00000000077C5000-memory.dmp

Filesize
212KB

Download
memory/4928-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

Filesize
240KB

Download
memory/4928-858-0x00000000049E0000-0x0000000004A2C000-memory.dmp

Filesize
304KB

Download