healer | d7e549998d7972f0632ac70615d6d8beeb4c367924c56def8dd2bc94a13f3989

Analysis

max time kernel
127s
max time network
143s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7e549998d7972f0632ac7061.exe
Size

538KB
MD5

e3ed3fad0f285e38a8a07319ebd81c34
SHA1

a277e5a91d58678a852acf8f3b991f0787b98755
SHA256

d7e549998d7972f0632ac70615d6d8beeb4c367924c56def8dd2bc94a13f3989
SHA512

70a2947e02d4a5fac0cc9e993e88799881c18ec00e74b6f8cb7980b06525afd3778a2772c7e9ab5f0b4513acf95487877c082c15d8b3d7da2e80f3d4e254a201
SSDEEP

12288:+OgHf5z47LRsq7dNTAEvCxMuer63qg77lVEQV1CT:o/547Leq7dmEaxMu2639773EA1W

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2200-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0692754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0692754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0692754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0692754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0692754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0692754.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1436	y3593981.exe
2200	k0692754.exe
3008	l6567078.exe

Loads dropped DLL 8 IoCs

pid	Process
2320	d7e549998d7972f0632ac7061.exe
1436	y3593981.exe
1436	y3593981.exe
1436	y3593981.exe
2200	k0692754.exe
1436	y3593981.exe
1436	y3593981.exe
3008	l6567078.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k0692754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0692754.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3593981.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d7e549998d7972f0632ac7061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7e549998d7972f0632ac7061.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3593981.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	k0692754.exe
2200	k0692754.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	k0692754.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 2320 wrote to memory of 1436	2320	d7e549998d7972f0632ac7061.exe	30
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 2200	1436	y3593981.exe	31
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33
PID 1436 wrote to memory of 3008	1436	y3593981.exe	33

C:\Users\Admin\AppData\Local\Temp\d7e549998d7972f0632ac7061.exe
"C:\Users\Admin\AppData\Local\Temp\d7e549998d7972f0632ac7061.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3593981.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3593981.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3593981.exe

Filesize
261KB

MD5
8b2e7cf893f9a630274300f463bf3628

SHA1
f827a989534c79bba0540dbd8077b9d7a1b728c2

SHA256
b33fd2cd803c653acdf4b5b624043b99d0f71901a0b3caa41f69c91acd1dabf9

SHA512
bd0834d0662b99f3d3608aa5615b291de43626b4f04b4c703b290cbcab539f1c2d66c1caf002a52ad7e95b2ebf668d9ef70bef6a8130b83c342e6eb2580af9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3593981.exe

Filesize
261KB

MD5
8b2e7cf893f9a630274300f463bf3628

SHA1
f827a989534c79bba0540dbd8077b9d7a1b728c2

SHA256
b33fd2cd803c653acdf4b5b624043b99d0f71901a0b3caa41f69c91acd1dabf9

SHA512
bd0834d0662b99f3d3608aa5615b291de43626b4f04b4c703b290cbcab539f1c2d66c1caf002a52ad7e95b2ebf668d9ef70bef6a8130b83c342e6eb2580af9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe

Filesize
104KB

MD5
dee5841b553cf321113061b5e0813488

SHA1
668f025ff6216e7df66746a0a9b12d7235625bf0

SHA256
41b86f848da54387c1c982a9690093b4497a174823e780c140706804a800987d

SHA512
a8e33f5c9f1dc9c4e635fe2e84c74d9c9153d21a34f08321b68029f448b98c225471a9f9bd2152f607de370dcd5f7eac275b38297bf35e3548b931123a3838ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe

Filesize
104KB

MD5
dee5841b553cf321113061b5e0813488

SHA1
668f025ff6216e7df66746a0a9b12d7235625bf0

SHA256
41b86f848da54387c1c982a9690093b4497a174823e780c140706804a800987d

SHA512
a8e33f5c9f1dc9c4e635fe2e84c74d9c9153d21a34f08321b68029f448b98c225471a9f9bd2152f607de370dcd5f7eac275b38297bf35e3548b931123a3838ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe

Filesize
104KB

MD5
dee5841b553cf321113061b5e0813488

SHA1
668f025ff6216e7df66746a0a9b12d7235625bf0

SHA256
41b86f848da54387c1c982a9690093b4497a174823e780c140706804a800987d

SHA512
a8e33f5c9f1dc9c4e635fe2e84c74d9c9153d21a34f08321b68029f448b98c225471a9f9bd2152f607de370dcd5f7eac275b38297bf35e3548b931123a3838ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe

Filesize
266KB

MD5
d2b3c4c2860b8bc4c5d126911e89df27

SHA1
0231b20f5b795435a7d26ca41e21b9d5af9f1579

SHA256
5e8fccd4da94804c12c5fb6f34ce7a6eb1935bc8d254b4ad3412307528e4ded5

SHA512
2cf6871b911f49da89876a7952049f46a7f85154277cf59d0f9c5af95dc9d8982f9dfdf973e969d1b0e27691cb24753f0c63ac3e7f8b38cd00ea03a56f213e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe

Filesize
266KB

MD5
d2b3c4c2860b8bc4c5d126911e89df27

SHA1
0231b20f5b795435a7d26ca41e21b9d5af9f1579

SHA256
5e8fccd4da94804c12c5fb6f34ce7a6eb1935bc8d254b4ad3412307528e4ded5

SHA512
2cf6871b911f49da89876a7952049f46a7f85154277cf59d0f9c5af95dc9d8982f9dfdf973e969d1b0e27691cb24753f0c63ac3e7f8b38cd00ea03a56f213e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe

Filesize
266KB

MD5
d2b3c4c2860b8bc4c5d126911e89df27

SHA1
0231b20f5b795435a7d26ca41e21b9d5af9f1579

SHA256
5e8fccd4da94804c12c5fb6f34ce7a6eb1935bc8d254b4ad3412307528e4ded5

SHA512
2cf6871b911f49da89876a7952049f46a7f85154277cf59d0f9c5af95dc9d8982f9dfdf973e969d1b0e27691cb24753f0c63ac3e7f8b38cd00ea03a56f213e6e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3593981.exe

Filesize
261KB

MD5
8b2e7cf893f9a630274300f463bf3628

SHA1
f827a989534c79bba0540dbd8077b9d7a1b728c2

SHA256
b33fd2cd803c653acdf4b5b624043b99d0f71901a0b3caa41f69c91acd1dabf9

SHA512
bd0834d0662b99f3d3608aa5615b291de43626b4f04b4c703b290cbcab539f1c2d66c1caf002a52ad7e95b2ebf668d9ef70bef6a8130b83c342e6eb2580af9f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3593981.exe

Filesize
261KB

MD5
8b2e7cf893f9a630274300f463bf3628

SHA1
f827a989534c79bba0540dbd8077b9d7a1b728c2

SHA256
b33fd2cd803c653acdf4b5b624043b99d0f71901a0b3caa41f69c91acd1dabf9

SHA512
bd0834d0662b99f3d3608aa5615b291de43626b4f04b4c703b290cbcab539f1c2d66c1caf002a52ad7e95b2ebf668d9ef70bef6a8130b83c342e6eb2580af9f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe

Filesize
104KB

MD5
dee5841b553cf321113061b5e0813488

SHA1
668f025ff6216e7df66746a0a9b12d7235625bf0

SHA256
41b86f848da54387c1c982a9690093b4497a174823e780c140706804a800987d

SHA512
a8e33f5c9f1dc9c4e635fe2e84c74d9c9153d21a34f08321b68029f448b98c225471a9f9bd2152f607de370dcd5f7eac275b38297bf35e3548b931123a3838ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe

Filesize
104KB

MD5
dee5841b553cf321113061b5e0813488

SHA1
668f025ff6216e7df66746a0a9b12d7235625bf0

SHA256
41b86f848da54387c1c982a9690093b4497a174823e780c140706804a800987d

SHA512
a8e33f5c9f1dc9c4e635fe2e84c74d9c9153d21a34f08321b68029f448b98c225471a9f9bd2152f607de370dcd5f7eac275b38297bf35e3548b931123a3838ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0692754.exe

Filesize
104KB

MD5
dee5841b553cf321113061b5e0813488

SHA1
668f025ff6216e7df66746a0a9b12d7235625bf0

SHA256
41b86f848da54387c1c982a9690093b4497a174823e780c140706804a800987d

SHA512
a8e33f5c9f1dc9c4e635fe2e84c74d9c9153d21a34f08321b68029f448b98c225471a9f9bd2152f607de370dcd5f7eac275b38297bf35e3548b931123a3838ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe

Filesize
266KB

MD5
d2b3c4c2860b8bc4c5d126911e89df27

SHA1
0231b20f5b795435a7d26ca41e21b9d5af9f1579

SHA256
5e8fccd4da94804c12c5fb6f34ce7a6eb1935bc8d254b4ad3412307528e4ded5

SHA512
2cf6871b911f49da89876a7952049f46a7f85154277cf59d0f9c5af95dc9d8982f9dfdf973e969d1b0e27691cb24753f0c63ac3e7f8b38cd00ea03a56f213e6e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe

Filesize
266KB

MD5
d2b3c4c2860b8bc4c5d126911e89df27

SHA1
0231b20f5b795435a7d26ca41e21b9d5af9f1579

SHA256
5e8fccd4da94804c12c5fb6f34ce7a6eb1935bc8d254b4ad3412307528e4ded5

SHA512
2cf6871b911f49da89876a7952049f46a7f85154277cf59d0f9c5af95dc9d8982f9dfdf973e969d1b0e27691cb24753f0c63ac3e7f8b38cd00ea03a56f213e6e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6567078.exe

Filesize
266KB

MD5
d2b3c4c2860b8bc4c5d126911e89df27

SHA1
0231b20f5b795435a7d26ca41e21b9d5af9f1579

SHA256
5e8fccd4da94804c12c5fb6f34ce7a6eb1935bc8d254b4ad3412307528e4ded5

SHA512
2cf6871b911f49da89876a7952049f46a7f85154277cf59d0f9c5af95dc9d8982f9dfdf973e969d1b0e27691cb24753f0c63ac3e7f8b38cd00ea03a56f213e6e

Download Submit
memory/2200-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2320-54-0x0000000000490000-0x0000000000504000-memory.dmp

Filesize
464KB

Download
memory/3008-97-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/3008-101-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/3008-102-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/3008-103-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download