healer | 7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe
Size

1.0MB
MD5

f60dfbd37bcd440ad0b33f15664eee85
SHA1

ab5fbf13a9213a1a0ce31c9a91dfc26cb2e3bca5
SHA256

7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe
SHA512

6bba64675cc5898f5e30371714778b1de08820f1dabb7543d51d98842f7bc1beca582d86686308f7eeeb811e3e7fae4c25c680195c5450f346ee3c6df9ba789e
SSDEEP

24576:pyKp3RGlogqAPs1zZ5aUrf+qR+6VhtYg/4rUoXOx1Ybk:cKhR5gqAPs5XRtVDYgUU49

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/memory/3792-154-0x0000000000400000-0x000000000041B000-memory.dmp	healer
behavioral1/memory/3792-155-0x0000000000540000-0x000000000054A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5826852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5826852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5826852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5826852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5826852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5826852.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3648	y0333220.exe
1980	y9686830.exe
3792	k5826852.exe
1468	l3268212.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5826852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5826852.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0333220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0333220.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9686830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9686830.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3792	k5826852.exe
3792	k5826852.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	k5826852.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3648	1840	7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe	86
PID 1840 wrote to memory of 3648	1840	7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe	86
PID 1840 wrote to memory of 3648	1840	7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe	86
PID 3648 wrote to memory of 1980	3648	y0333220.exe	87
PID 3648 wrote to memory of 1980	3648	y0333220.exe	87
PID 3648 wrote to memory of 1980	3648	y0333220.exe	87
PID 1980 wrote to memory of 3792	1980	y9686830.exe	88
PID 1980 wrote to memory of 3792	1980	y9686830.exe	88
PID 1980 wrote to memory of 3792	1980	y9686830.exe	88
PID 1980 wrote to memory of 1468	1980	y9686830.exe	94
PID 1980 wrote to memory of 1468	1980	y9686830.exe	94
PID 1980 wrote to memory of 1468	1980	y9686830.exe	94

C:\Users\Admin\AppData\Local\Temp\7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe
"C:\Users\Admin\AppData\Local\Temp\7857f0959c0f78df83ac076cae897886bac1fabd9c46044542626ff2b00e7cfe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333220.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333220.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9686830.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9686830.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5826852.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5826852.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3268212.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3268212.exe
      4⤵
      Executes dropped EXE
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333220.exe

Filesize
883KB

MD5
d928e634d18bc30b16cc17e3e6db7a79

SHA1
181a797363fa7d733d1878286438e47d7c16c4e2

SHA256
f2ad86abadd64bcd922b122ff172eee0fc56fd22786210e75de661b3eacac59c

SHA512
2c940170651e6a2e7774d7183b9022c375c50f8a1be3ce8d43616e6151ac395da9946ccfd26b3754c6c1676145f39eed552de35b7a577213575ae8549f85e6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333220.exe

Filesize
883KB

MD5
d928e634d18bc30b16cc17e3e6db7a79

SHA1
181a797363fa7d733d1878286438e47d7c16c4e2

SHA256
f2ad86abadd64bcd922b122ff172eee0fc56fd22786210e75de661b3eacac59c

SHA512
2c940170651e6a2e7774d7183b9022c375c50f8a1be3ce8d43616e6151ac395da9946ccfd26b3754c6c1676145f39eed552de35b7a577213575ae8549f85e6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9686830.exe

Filesize
700KB

MD5
c1495a3d15720658ff2a1bbd2b6ef3bc

SHA1
85f3b2f6cb00b98537a40ae20d9512be8d185ef6

SHA256
b2e7de5c35faa37bdb1e17ffc207716d296b46a1d8b9fa2c82e120afef2a23bd

SHA512
9cb57c3c562271de9de7f5349a8a5681d66eb114666c1d847d1bb4e37cf550123b293ed49493e1fd8cc40b52449fd5a1a51ad2c981d273aa62f2d9e4d8afadd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9686830.exe

Filesize
700KB

MD5
c1495a3d15720658ff2a1bbd2b6ef3bc

SHA1
85f3b2f6cb00b98537a40ae20d9512be8d185ef6

SHA256
b2e7de5c35faa37bdb1e17ffc207716d296b46a1d8b9fa2c82e120afef2a23bd

SHA512
9cb57c3c562271de9de7f5349a8a5681d66eb114666c1d847d1bb4e37cf550123b293ed49493e1fd8cc40b52449fd5a1a51ad2c981d273aa62f2d9e4d8afadd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5826852.exe

Filesize
568KB

MD5
e955e7261b8bbf3e4b3be283ea17c519

SHA1
9c48bb2fd485aeaddfc5d2ac93e2ab94f3e7c265

SHA256
34d4828be79432d056f54db0fbfba3bab112dc4a17b165b3dd27a935ad0102ea

SHA512
062dba9408b133a19ad086c6367fd8e76ef7f355cb8929392325abd1a6e07bd0f8af51ae6df11cd861acc5db8fa9813639ae1dea0b7f09df81158fd0b386e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5826852.exe

Filesize
568KB

MD5
e955e7261b8bbf3e4b3be283ea17c519

SHA1
9c48bb2fd485aeaddfc5d2ac93e2ab94f3e7c265

SHA256
34d4828be79432d056f54db0fbfba3bab112dc4a17b165b3dd27a935ad0102ea

SHA512
062dba9408b133a19ad086c6367fd8e76ef7f355cb8929392325abd1a6e07bd0f8af51ae6df11cd861acc5db8fa9813639ae1dea0b7f09df81158fd0b386e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3268212.exe

Filesize
729KB

MD5
6440ac28470ce6a9375cc6400a922558

SHA1
aa57bdfcf03dceec9eb528675d6e2ad2aa9d74ed

SHA256
6777f02db26536f7a1144319a29d7865be76461b15d0b4ff258cf6f982bf2085

SHA512
64b730e4f9226cb8fd498d6cc870e5d7cf74ee671a0b30d3bfed593a915abc8e238e674141671da0932eced5695caf07814c3562fd0b0d0195b8ec9bb46636a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3268212.exe

Filesize
729KB

MD5
6440ac28470ce6a9375cc6400a922558

SHA1
aa57bdfcf03dceec9eb528675d6e2ad2aa9d74ed

SHA256
6777f02db26536f7a1144319a29d7865be76461b15d0b4ff258cf6f982bf2085

SHA512
64b730e4f9226cb8fd498d6cc870e5d7cf74ee671a0b30d3bfed593a915abc8e238e674141671da0932eced5695caf07814c3562fd0b0d0195b8ec9bb46636a5

Download Submit
memory/1468-175-0x0000000004C10000-0x0000000004D1A000-memory.dmp

Filesize
1.0MB

Download
memory/1468-173-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1468-180-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1468-179-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1468-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-167-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/1468-178-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/1468-177-0x0000000004D40000-0x0000000004D52000-memory.dmp

Filesize
72KB

Download
memory/1468-174-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/1468-176-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3792-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3792-163-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3792-155-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/3792-159-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3792-160-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download