healer | edd2dc4b0833fb089b241f0a2493766d2c70efaf339162462672af68ea310e43

Analysis

max time kernel
128s
max time network
144s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 18:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dda01c237c5a096170569ede1.exe
Size

538KB
MD5

dda01c237c5a096170569ede178fd7fa
SHA1

763e08f979c863fcd77b327f216ad407555d78b7
SHA256

edd2dc4b0833fb089b241f0a2493766d2c70efaf339162462672af68ea310e43
SHA512

be51481d3573444d5107471e4716118d71a2bb44d9a231bb3efe6dfff3c806ac6d6c29c987429be59766d3b5c0db186ef56dd93f4889b0f9972fd469ac14d638
SSDEEP

12288:a08ajz47lupda9C3Bw2UJ4M0BQEjM3En46MD2:xn47ApdaCxwDJPQME46Q

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/624-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3313261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3313261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3313261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3313261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3313261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3313261.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1928	y3709405.exe
624	k3313261.exe
2228	l5243723.exe

Loads dropped DLL 8 IoCs

pid	Process
2824	dda01c237c5a096170569ede1.exe
1928	y3709405.exe
1928	y3709405.exe
1928	y3709405.exe
624	k3313261.exe
1928	y3709405.exe
1928	y3709405.exe
2228	l5243723.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k3313261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3313261.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3709405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3709405.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dda01c237c5a096170569ede1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dda01c237c5a096170569ede1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
624	k3313261.exe
624	k3313261.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	k3313261.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 2824 wrote to memory of 1928	2824	dda01c237c5a096170569ede1.exe	28
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 624	1928	y3709405.exe	29
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31
PID 1928 wrote to memory of 2228	1928	y3709405.exe	31

C:\Users\Admin\AppData\Local\Temp\dda01c237c5a096170569ede1.exe
"C:\Users\Admin\AppData\Local\Temp\dda01c237c5a096170569ede1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe

Filesize
261KB

MD5
5c337651e659f0fdf6b2985370c10296

SHA1
d1ed1e012b0bcb16ceceacac9b7f6f28f8db8ac9

SHA256
65dbaf45456a3d87e3ea00e8aaff49c25472b0bc27ff3b0b1db5d8c39147565b

SHA512
fe624bb86b61d39d460fcb97de6220907c938d468f7222e33b5ed9dac4d2243989c7c0592b37c64c1421096c322f34c8dc7106138bc195f8f23f1f3b50907bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe

Filesize
261KB

MD5
5c337651e659f0fdf6b2985370c10296

SHA1
d1ed1e012b0bcb16ceceacac9b7f6f28f8db8ac9

SHA256
65dbaf45456a3d87e3ea00e8aaff49c25472b0bc27ff3b0b1db5d8c39147565b

SHA512
fe624bb86b61d39d460fcb97de6220907c938d468f7222e33b5ed9dac4d2243989c7c0592b37c64c1421096c322f34c8dc7106138bc195f8f23f1f3b50907bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe

Filesize
104KB

MD5
9e04361d8c1b97863f881b44d21556e8

SHA1
964e3f32eb4b05b0440a494dd7bad40149e1803c

SHA256
53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

SHA512
6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe

Filesize
104KB

MD5
9e04361d8c1b97863f881b44d21556e8

SHA1
964e3f32eb4b05b0440a494dd7bad40149e1803c

SHA256
53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

SHA512
6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe

Filesize
104KB

MD5
9e04361d8c1b97863f881b44d21556e8

SHA1
964e3f32eb4b05b0440a494dd7bad40149e1803c

SHA256
53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

SHA512
6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe

Filesize
266KB

MD5
1d04dcd5023a0641cdcc5d98523c59a8

SHA1
fa1050ab6a10ab231f07baae9e76a1372f8f6747

SHA256
c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

SHA512
536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe

Filesize
266KB

MD5
1d04dcd5023a0641cdcc5d98523c59a8

SHA1
fa1050ab6a10ab231f07baae9e76a1372f8f6747

SHA256
c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

SHA512
536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe

Filesize
266KB

MD5
1d04dcd5023a0641cdcc5d98523c59a8

SHA1
fa1050ab6a10ab231f07baae9e76a1372f8f6747

SHA256
c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

SHA512
536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe

Filesize
261KB

MD5
5c337651e659f0fdf6b2985370c10296

SHA1
d1ed1e012b0bcb16ceceacac9b7f6f28f8db8ac9

SHA256
65dbaf45456a3d87e3ea00e8aaff49c25472b0bc27ff3b0b1db5d8c39147565b

SHA512
fe624bb86b61d39d460fcb97de6220907c938d468f7222e33b5ed9dac4d2243989c7c0592b37c64c1421096c322f34c8dc7106138bc195f8f23f1f3b50907bad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3709405.exe

Filesize
261KB

MD5
5c337651e659f0fdf6b2985370c10296

SHA1
d1ed1e012b0bcb16ceceacac9b7f6f28f8db8ac9

SHA256
65dbaf45456a3d87e3ea00e8aaff49c25472b0bc27ff3b0b1db5d8c39147565b

SHA512
fe624bb86b61d39d460fcb97de6220907c938d468f7222e33b5ed9dac4d2243989c7c0592b37c64c1421096c322f34c8dc7106138bc195f8f23f1f3b50907bad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe

Filesize
104KB

MD5
9e04361d8c1b97863f881b44d21556e8

SHA1
964e3f32eb4b05b0440a494dd7bad40149e1803c

SHA256
53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

SHA512
6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe

Filesize
104KB

MD5
9e04361d8c1b97863f881b44d21556e8

SHA1
964e3f32eb4b05b0440a494dd7bad40149e1803c

SHA256
53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

SHA512
6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3313261.exe

Filesize
104KB

MD5
9e04361d8c1b97863f881b44d21556e8

SHA1
964e3f32eb4b05b0440a494dd7bad40149e1803c

SHA256
53dcdcfcd5b9789a7dc1513c2c7e0fc74546554374b79fd4cff902d7a0544157

SHA512
6a01e26c8f3a9820c79eaa4d1051f91458c517510f9e90c194732f58d0b33ed1c2cdcaaa854e93d2d7e57b2c460f5d3a98276284323b9205a86edc5444cb2a05

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe

Filesize
266KB

MD5
1d04dcd5023a0641cdcc5d98523c59a8

SHA1
fa1050ab6a10ab231f07baae9e76a1372f8f6747

SHA256
c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

SHA512
536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe

Filesize
266KB

MD5
1d04dcd5023a0641cdcc5d98523c59a8

SHA1
fa1050ab6a10ab231f07baae9e76a1372f8f6747

SHA256
c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

SHA512
536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5243723.exe

Filesize
266KB

MD5
1d04dcd5023a0641cdcc5d98523c59a8

SHA1
fa1050ab6a10ab231f07baae9e76a1372f8f6747

SHA256
c6951984d77b9bfd95a6b1453d14cbd05e0b897fe5eb260edf717684cacdd0ef

SHA512
536c21e666e2d4bd5e418d4873b01501828d92ba9c33a7ea2765453a5cd4c35fd1ec6dbc6ce2f9b370047d4178182eb3743102205fddec8d3fe11aafe2b36c48

Download Submit
memory/624-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2228-97-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2228-101-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/2228-102-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2228-103-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2824-54-0x0000000000220000-0x0000000000294000-memory.dmp

Filesize
464KB

Download