healer | 9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	iHU13nv79.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iHU13nv79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iHU13nv79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iHU13nv79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iHU13nv79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iHU13nv79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iHU13nv79.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iHU13nv79.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	iHU13nv79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	iHU13nv79.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4584-22-0x0000000002390000-0x00000000023D6000-memory.dmp	family_redline
behavioral1/memory/4584-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp	family_redline
behavioral1/memory/4584-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-51-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4584-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline

Redline family
redline

Downloads MZ/PE file 1 IoCs

flow	pid	Process
27	540	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
2856	szL92sP82.exe
652	iHU13nv79.exe
4584	kjY64Wt48.exe

Windows security modification 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iHU13nv79.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	szL92sP82.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szL92sP82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjY64Wt48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7064	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
652	iHU13nv79.exe
652	iHU13nv79.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	iHU13nv79.exe
Token: SeDebugPrivilege	4584	kjY64Wt48.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 2856	3888	9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe	88
PID 3888 wrote to memory of 2856	3888	9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe	88
PID 3888 wrote to memory of 2856	3888	9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe	88
PID 2856 wrote to memory of 652	2856	szL92sP82.exe	89
PID 2856 wrote to memory of 652	2856	szL92sP82.exe	89
PID 2856 wrote to memory of 4584	2856	szL92sP82.exe	92
PID 2856 wrote to memory of 4584	2856	szL92sP82.exe	92
PID 2856 wrote to memory of 4584	2856	szL92sP82.exe	92

C:\Users\Admin\AppData\Local\Temp\9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe
"C:\Users\Admin\AppData\Local\Temp\9d428ebfd2751e01328a3b2c04333c6e6569575fb772f7efba8dffe708891044N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\szL92sP82.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\szL92sP82.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iHU13nv79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iHU13nv79.exe
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kjY64Wt48.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kjY64Wt48.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4584

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzhGQTFEOEQtOTJDQS00ODlBLUFGNDMtNkVCMjlCMzEzNUQxfSIgdXNlcmlkPSJ7OTE1Mjc1MUYtMDdBQS00M0JELTlBMjktRURBQjIxOTE0MzM3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjlERTZGMDYtNEEzQy00QUMzLUJGQzAtRTUzQUI5NkIxNzkzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjcwNjM1MzczIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:7064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry