healer | eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe
Size

269KB
MD5

94d8582df5fde8a4f1e3e47b1a464b5f
SHA1

d466d7326164cb6b0f40497b3629c6ea070b4cd0
SHA256

eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb
SHA512

2752d4e804e948fd26610646437c48464006c080b01484fb1ef51644cf3d0c7ba2d10a4bab1f8913bb7834696bdb6251c3a048c586301ac5db55fc7925ad1af2
SSDEEP

6144:Khy+bnr+Sp0yN90QEf92P0yqvSnEFDtt6:7MrGy90ZEsyqv6az6

Score

10^/10

healer redline smoke dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

smoke

83.97.73.131:19071

Attributes

auth_value
aaa47198b84c95fcce9397339e8af9d4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/3388-7-0x0000000000420000-0x000000000042A000-memory.dmp healer
behavioral1/memory/3388-12-0x0000000000400000-0x000000000041C000-memory.dmp healer
Healer
Healer an antivirus disabler dropper.
dropper healer

resource	yara_rule
behavioral1/memory/3388-7-0x0000000000420000-0x000000000042A000-memory.dmp	healer
behavioral1/memory/3388-12-0x0000000000400000-0x000000000041C000-memory.dmp	healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k9557499.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9557499.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k9557499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9557499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9557499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9557499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9557499.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4872-18-0x0000000000580000-0x00000000005B0000-memory.dmp	family_redline
behavioral1/memory/4872-22-0x0000000000400000-0x0000000000445000-memory.dmp	family_redline

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3388-7-0x0000000000420000-0x000000000042A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3388-12-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4872-18-0x0000000000580000-0x00000000005B0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/4872-22-0x0000000000400000-0x0000000000445000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 2 IoCs

Processes:

k9557499.exel2120662.exe

pid process

3388 k9557499.exe
4872 l2120662.exe

pid	process
3388	k9557499.exe
4872	l2120662.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k9557499.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k9557499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9557499.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1372 sc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k9557499.exe

pid process

3388 k9557499.exe
3388 k9557499.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k9557499.exe

description pid process

Token: SeDebugPrivilege 3388 k9557499.exe

pid	process
1372	sc.exe

pid	process
3388	k9557499.exe
3388	k9557499.exe

description	pid	process
Token: SeDebugPrivilege	3388	k9557499.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe

description	pid	process	target process
PID 1988 wrote to memory of 3388	1988	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe	k9557499.exe
PID 1988 wrote to memory of 3388	1988	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe	k9557499.exe
PID 1988 wrote to memory of 3388	1988	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe	k9557499.exe
PID 1988 wrote to memory of 4872	1988	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe	l2120662.exe
PID 1988 wrote to memory of 4872	1988	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe	l2120662.exe
PID 1988 wrote to memory of 4872	1988	eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe	l2120662.exe

C:\Users\Admin\AppData\Local\Temp\eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe
"C:\Users\Admin\AppData\Local\Temp\eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9557499.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9557499.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2120662.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2120662.exe
2⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9557499.exe
Filesize
112KB

MD5
fa3a56cad8451afde73a3100b2f8a7eb

SHA1
75bb944648d199bca0b2c60aafef136d3cb8c470

SHA256
9714e35cad133ee52b73ca48c098ca49a89e6dca7ad94f4d52117609c63cedfe

SHA512
8d722f040939d9a486d7ce2bd16df3edf91e2d89bc06f3ba7e32a1170c763a6ae74dd43214e9303cd39c5861ecdc98ae86fc75a4fcdec75656910ab3297721bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2120662.exe
Filesize
274KB

MD5
5d3bb93a0305b1f9b6a714973b62f767

SHA1
1367eff6f08640623b117164fcae05bc34cc36ad

SHA256
169ad6bc316a08fd5e2a6abe0b61812a084a075ad85e504bd050518dc14e43be

SHA512
9017373926ec1bb1f63e83d883ff6f960c23d4d2da64c09347d38d27679a9120bcd586432679fea29c9749a8ef1fa464111dde1059cb6149b5270e86676d64f1

Download Submit
memory/3388-7-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/3388-11-0x0000000000402000-0x0000000000405000-memory.dmp

Filesize
12KB

Download
memory/3388-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4872-22-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4872-18-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/4872-24-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/4872-25-0x0000000009E70000-0x000000000A488000-memory.dmp

Filesize
6.1MB

Download
memory/4872-26-0x000000000A510000-0x000000000A61A000-memory.dmp

Filesize
1.0MB

Download
memory/4872-27-0x000000000A650000-0x000000000A662000-memory.dmp

Filesize
72KB

Download
memory/4872-28-0x000000000A670000-0x000000000A6AC000-memory.dmp

Filesize
240KB

Download
memory/4872-29-0x0000000004440000-0x000000000448C000-memory.dmp

Filesize
304KB

Download