healer | 1b0729839d14f565e8de6c35f683e4cf6c401cc652ea06fe9d0da0c95e9abadd

Analysis

max time kernel
128s
max time network
142s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe
Size

863KB
MD5

06277a03cdeaf29ddaf5419eb7b05b20
SHA1

96d63bf0038d66d8077141669a1518d99182f7a4
SHA256

1b0729839d14f565e8de6c35f683e4cf6c401cc652ea06fe9d0da0c95e9abadd
SHA512

794cd215922cf660883cafcb834c4962aca747bdb3f7240118c2924c6185b682946e037e200a92b1cac307ae2dca34919c8ce367b77c0a24ced47a21b4ba50ff
SSDEEP

12288:iMr/y90ORo/UpVjIROE5bDbVA0A/9OcuITijA8yeQbcHO+lLG9L8qwcnmJaqi:lyZOoqkWb/61OcVmS45dGALK

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2296-77-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9734366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k9734366.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9734366.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9734366.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9734366.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9734366.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2168	y3907700.exe
2296	k9734366.exe
1328	l8065764.exe

Loads dropped DLL 8 IoCs

pid	Process
1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe
2168	y3907700.exe
2168	y3907700.exe
2168	y3907700.exe
2296	k9734366.exe
2168	y3907700.exe
2168	y3907700.exe
1328	l8065764.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k9734366.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9734366.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3907700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3907700.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2296	k9734366.exe
2296	k9734366.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	k9734366.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 1072 wrote to memory of 2168	1072	1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe	29
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 2296	2168	y3907700.exe	30
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32
PID 2168 wrote to memory of 1328	2168	y3907700.exe	32

C:\Users\Admin\AppData\Local\Temp\1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe
"C:\Users\Admin\AppData\Local\Temp\1b0729839d14f565e8de6c35f683e4cf6c401cc652ea0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3907700.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3907700.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3907700.exe

Filesize
679KB

MD5
e2f2a83987e8c3ec0be91997242a1245

SHA1
8fbe7c3c73521d2e43551408dea446b86b1f1320

SHA256
c0bad50a06332530825d6222df1a1a81be1efb53e40b430d958d41058b2da47d

SHA512
5f5819a08d3fefa1cf48ba1b1957e210bc3b9b2f54d179cf4643f2d2f892717215829817565ea0d729ec4adb218742283363ca3b496b2d08c4753358ef5b8908

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3907700.exe

Filesize
679KB

MD5
e2f2a83987e8c3ec0be91997242a1245

SHA1
8fbe7c3c73521d2e43551408dea446b86b1f1320

SHA256
c0bad50a06332530825d6222df1a1a81be1efb53e40b430d958d41058b2da47d

SHA512
5f5819a08d3fefa1cf48ba1b1957e210bc3b9b2f54d179cf4643f2d2f892717215829817565ea0d729ec4adb218742283363ca3b496b2d08c4753358ef5b8908

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe

Filesize
530KB

MD5
1f7f9b823f8da6464138b0a8aa7b7541

SHA1
cc0101a0ab1d56618ee997b81ef69438256b62d7

SHA256
9deffa10cbae5f528b9441383f82380d1d39ecf55dd7128cd633c45dd5707b7d

SHA512
b409e220c5bbf887250a0de83f5e26c5013aa7a17b9ec107d0ea3e8861e052f0970d6e0c04df05d65f8c5856bb87209d9c6766dcf2f3beb65b881da7d2d91275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe

Filesize
530KB

MD5
1f7f9b823f8da6464138b0a8aa7b7541

SHA1
cc0101a0ab1d56618ee997b81ef69438256b62d7

SHA256
9deffa10cbae5f528b9441383f82380d1d39ecf55dd7128cd633c45dd5707b7d

SHA512
b409e220c5bbf887250a0de83f5e26c5013aa7a17b9ec107d0ea3e8861e052f0970d6e0c04df05d65f8c5856bb87209d9c6766dcf2f3beb65b881da7d2d91275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe

Filesize
530KB

MD5
1f7f9b823f8da6464138b0a8aa7b7541

SHA1
cc0101a0ab1d56618ee997b81ef69438256b62d7

SHA256
9deffa10cbae5f528b9441383f82380d1d39ecf55dd7128cd633c45dd5707b7d

SHA512
b409e220c5bbf887250a0de83f5e26c5013aa7a17b9ec107d0ea3e8861e052f0970d6e0c04df05d65f8c5856bb87209d9c6766dcf2f3beb65b881da7d2d91275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe

Filesize
692KB

MD5
5f7e66a3a98eea835c4abbcc1f166450

SHA1
717ff1c55cac3921a0ab7bfdcaa9d63906f11c00

SHA256
a9c1cbaa22561785d5e12b8dd1cfe72372c1f4c22510a503b68c450428518275

SHA512
10502dda88a78c477efb627d514728dd0ef8387380e8b336e7a4a586c8bbf2d24ffddb4518c96624d6a32d9a0a13370d153d08b32c0b1872842f8b8b6ca923aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe

Filesize
692KB

MD5
5f7e66a3a98eea835c4abbcc1f166450

SHA1
717ff1c55cac3921a0ab7bfdcaa9d63906f11c00

SHA256
a9c1cbaa22561785d5e12b8dd1cfe72372c1f4c22510a503b68c450428518275

SHA512
10502dda88a78c477efb627d514728dd0ef8387380e8b336e7a4a586c8bbf2d24ffddb4518c96624d6a32d9a0a13370d153d08b32c0b1872842f8b8b6ca923aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe

Filesize
692KB

MD5
5f7e66a3a98eea835c4abbcc1f166450

SHA1
717ff1c55cac3921a0ab7bfdcaa9d63906f11c00

SHA256
a9c1cbaa22561785d5e12b8dd1cfe72372c1f4c22510a503b68c450428518275

SHA512
10502dda88a78c477efb627d514728dd0ef8387380e8b336e7a4a586c8bbf2d24ffddb4518c96624d6a32d9a0a13370d153d08b32c0b1872842f8b8b6ca923aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3907700.exe

Filesize
679KB

MD5
e2f2a83987e8c3ec0be91997242a1245

SHA1
8fbe7c3c73521d2e43551408dea446b86b1f1320

SHA256
c0bad50a06332530825d6222df1a1a81be1efb53e40b430d958d41058b2da47d

SHA512
5f5819a08d3fefa1cf48ba1b1957e210bc3b9b2f54d179cf4643f2d2f892717215829817565ea0d729ec4adb218742283363ca3b496b2d08c4753358ef5b8908

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3907700.exe

Filesize
679KB

MD5
e2f2a83987e8c3ec0be91997242a1245

SHA1
8fbe7c3c73521d2e43551408dea446b86b1f1320

SHA256
c0bad50a06332530825d6222df1a1a81be1efb53e40b430d958d41058b2da47d

SHA512
5f5819a08d3fefa1cf48ba1b1957e210bc3b9b2f54d179cf4643f2d2f892717215829817565ea0d729ec4adb218742283363ca3b496b2d08c4753358ef5b8908

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe

Filesize
530KB

MD5
1f7f9b823f8da6464138b0a8aa7b7541

SHA1
cc0101a0ab1d56618ee997b81ef69438256b62d7

SHA256
9deffa10cbae5f528b9441383f82380d1d39ecf55dd7128cd633c45dd5707b7d

SHA512
b409e220c5bbf887250a0de83f5e26c5013aa7a17b9ec107d0ea3e8861e052f0970d6e0c04df05d65f8c5856bb87209d9c6766dcf2f3beb65b881da7d2d91275

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe

Filesize
530KB

MD5
1f7f9b823f8da6464138b0a8aa7b7541

SHA1
cc0101a0ab1d56618ee997b81ef69438256b62d7

SHA256
9deffa10cbae5f528b9441383f82380d1d39ecf55dd7128cd633c45dd5707b7d

SHA512
b409e220c5bbf887250a0de83f5e26c5013aa7a17b9ec107d0ea3e8861e052f0970d6e0c04df05d65f8c5856bb87209d9c6766dcf2f3beb65b881da7d2d91275

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9734366.exe

Filesize
530KB

MD5
1f7f9b823f8da6464138b0a8aa7b7541

SHA1
cc0101a0ab1d56618ee997b81ef69438256b62d7

SHA256
9deffa10cbae5f528b9441383f82380d1d39ecf55dd7128cd633c45dd5707b7d

SHA512
b409e220c5bbf887250a0de83f5e26c5013aa7a17b9ec107d0ea3e8861e052f0970d6e0c04df05d65f8c5856bb87209d9c6766dcf2f3beb65b881da7d2d91275

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe

Filesize
692KB

MD5
5f7e66a3a98eea835c4abbcc1f166450

SHA1
717ff1c55cac3921a0ab7bfdcaa9d63906f11c00

SHA256
a9c1cbaa22561785d5e12b8dd1cfe72372c1f4c22510a503b68c450428518275

SHA512
10502dda88a78c477efb627d514728dd0ef8387380e8b336e7a4a586c8bbf2d24ffddb4518c96624d6a32d9a0a13370d153d08b32c0b1872842f8b8b6ca923aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe

Filesize
692KB

MD5
5f7e66a3a98eea835c4abbcc1f166450

SHA1
717ff1c55cac3921a0ab7bfdcaa9d63906f11c00

SHA256
a9c1cbaa22561785d5e12b8dd1cfe72372c1f4c22510a503b68c450428518275

SHA512
10502dda88a78c477efb627d514728dd0ef8387380e8b336e7a4a586c8bbf2d24ffddb4518c96624d6a32d9a0a13370d153d08b32c0b1872842f8b8b6ca923aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8065764.exe

Filesize
692KB

MD5
5f7e66a3a98eea835c4abbcc1f166450

SHA1
717ff1c55cac3921a0ab7bfdcaa9d63906f11c00

SHA256
a9c1cbaa22561785d5e12b8dd1cfe72372c1f4c22510a503b68c450428518275

SHA512
10502dda88a78c477efb627d514728dd0ef8387380e8b336e7a4a586c8bbf2d24ffddb4518c96624d6a32d9a0a13370d153d08b32c0b1872842f8b8b6ca923aa

Download Submit
memory/1328-91-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1328-95-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/1328-96-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/1328-97-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2296-77-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download