healer | c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe
Size

706KB
MD5

a1d0a69538555fc7b532da1879efff21
SHA1

c6452f1170229cb0417438a6ab495457b13c0081
SHA256

c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e
SHA512

402735791e80cca94323b30bf0876c171fde1643aee441aad073555979b7dd33de099906a0348162a62150426d848219bdcde6519a2884cdb453dd07981d0c2a
SSDEEP

12288:Ly90fPqxOKqsTtsZT9dwiOpMzChsLJTFXO8I1MM38QQYXbnWJpFl:Ly8PIOGts19WiOyxZFtM33bnWDFl

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1840-18-0x0000000004800000-0x000000000481A000-memory.dmp	healer
behavioral1/memory/1840-20-0x0000000007130000-0x0000000007148000-memory.dmp	healer
behavioral1/memory/1840-48-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-46-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-44-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-42-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-40-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-38-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-36-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-34-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-32-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-30-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-28-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-26-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-24-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-22-0x0000000007130000-0x0000000007142000-memory.dmp	healer
behavioral1/memory/1840-21-0x0000000007130000-0x0000000007142000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr794130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr794130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr794130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr794130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr794130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr794130.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3152-60-0x0000000004C10000-0x0000000004C4C000-memory.dmp	family_redline
behavioral1/memory/3152-61-0x00000000077A0000-0x00000000077DA000-memory.dmp	family_redline
behavioral1/memory/3152-62-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-63-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-85-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-95-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-93-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-91-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-89-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-87-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-83-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-81-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-79-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-77-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-75-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-73-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-71-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-69-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-67-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline
behavioral1/memory/3152-65-0x00000000077A0000-0x00000000077D5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2496	un414789.exe
1840	pr794130.exe
3152	qu312094.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr794130.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr794130.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un414789.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1824	1840	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un414789.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr794130.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu312094.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1840	pr794130.exe
1840	pr794130.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	pr794130.exe
Token: SeDebugPrivilege	3152	qu312094.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2496	2060	c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe	83
PID 2060 wrote to memory of 2496	2060	c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe	83
PID 2060 wrote to memory of 2496	2060	c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe	83
PID 2496 wrote to memory of 1840	2496	un414789.exe	84
PID 2496 wrote to memory of 1840	2496	un414789.exe	84
PID 2496 wrote to memory of 1840	2496	un414789.exe	84
PID 2496 wrote to memory of 3152	2496	un414789.exe	96
PID 2496 wrote to memory of 3152	2496	un414789.exe	96
PID 2496 wrote to memory of 3152	2496	un414789.exe	96

C:\Users\Admin\AppData\Local\Temp\c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe
"C:\Users\Admin\AppData\Local\Temp\c1129f478c55d730a920993767b31afdc9c6889d7527c17507e8b1a9978d7c9e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un414789.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un414789.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794130.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794130.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1084
      4⤵
      Program crash
      PID:1824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu312094.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu312094.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1840 -ip 1840
1⤵
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un414789.exe

Filesize
552KB

MD5
6d967e4227d04dea09d2f6f3e3427f06

SHA1
4e8e8c3cd891f64882ff167dea272c8b427cc600

SHA256
4d6e7d5fd6f03b315041b90fa00db67a31a112811ad28bcb4c864ad62c5b04cc

SHA512
c5d0128f2f072a55c97f48cf106abbfe877b169e85c6a4cd312f16891a31312f02063f95e91e448952e8e89aa414ddcfc1c7165643d9bed792b75620a1d692c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr794130.exe

Filesize
278KB

MD5
c76f66bd408c1bf54d0b172bebbddc3e

SHA1
68f9ca03e37994188199ead5f7aac420269f50a4

SHA256
8a8992192dd22eea1fc7934bf589ec456b7d473271e2f41329a33070956bf50d

SHA512
02487782e303ebfc98f1e6c8b9cafe6f120eeaf25fd9f84e1eb0c87f8b5fa6a129bb4857c4d57a6d74081103c81ff3935dc8009ddf578f8093895fa0376b6e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu312094.exe

Filesize
359KB

MD5
9376ecbd2f1a4236147e463ff69f9206

SHA1
3f30695dbaf5f6b0244d6a8a9ee402302f4360c0

SHA256
8df33361084fe28fd2483e4d8c902b274017ad7915feed1b779a24ebbde74354

SHA512
9a1ea9d61160baba6b4fc92e62d95cb91011942a2de7119b5d895dc209d267e9a16a48e0437b805b8677a60242e32d45360f7f01bb3752c0b721743bec04ca07

Download Submit
memory/1840-15-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/1840-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/1840-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1840-18-0x0000000004800000-0x000000000481A000-memory.dmp

Filesize
104KB

Download
memory/1840-19-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/1840-20-0x0000000007130000-0x0000000007148000-memory.dmp

Filesize
96KB

Download
memory/1840-48-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-46-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-44-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-42-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-40-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-38-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-36-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-34-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-32-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-30-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-28-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-26-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-24-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-22-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-21-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/1840-49-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/1840-50-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/1840-51-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/1840-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1840-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1840-54-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/3152-60-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/3152-61-0x00000000077A0000-0x00000000077DA000-memory.dmp

Filesize
232KB

Download
memory/3152-62-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-63-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-85-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-95-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-93-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-91-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-89-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-87-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-83-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-81-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-79-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-77-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-75-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-73-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-71-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-69-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-67-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-65-0x00000000077A0000-0x00000000077D5000-memory.dmp

Filesize
212KB

Download
memory/3152-854-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

Filesize
6.1MB

Download
memory/3152-855-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/3152-856-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/3152-857-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/3152-858-0x0000000004830000-0x000000000487C000-memory.dmp

Filesize
304KB

Download