healer | 17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe
Size

922KB
MD5

a5c90f7cc3d9ba721d7ae9682c56c77f
SHA1

c73e943046361ae8e4ce7d5db8df7f526861a311
SHA256

17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f
SHA512

2499b2e3c740fa18fb33888649df7eb82f49a4595f5df66ab1c253403cdd4e1f7f914c773ce3978a5cd7d49a0ec3682375a935e6910286d0414d925803072146
SSDEEP

24576:byN9xpWQtVavlXqEt4FSNds3+NDUXsnPEI5R7iiDRkT/:ON56vlaEtLTK+V7PEI5R7iiDy

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/4352-162-0x0000000000590000-0x00000000005CE000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0223437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0223437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0223437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0223437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0223437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0223437.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
912	y1463303.exe
1328	y5008690.exe
4352	k0223437.exe
936	l9460393.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0223437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0223437.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5008690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5008690.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1463303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1463303.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4352	k0223437.exe
4352	k0223437.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	k0223437.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 912	4960	17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe	85
PID 4960 wrote to memory of 912	4960	17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe	85
PID 4960 wrote to memory of 912	4960	17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe	85
PID 912 wrote to memory of 1328	912	y1463303.exe	86
PID 912 wrote to memory of 1328	912	y1463303.exe	86
PID 912 wrote to memory of 1328	912	y1463303.exe	86
PID 1328 wrote to memory of 4352	1328	y5008690.exe	87
PID 1328 wrote to memory of 4352	1328	y5008690.exe	87
PID 1328 wrote to memory of 4352	1328	y5008690.exe	87
PID 1328 wrote to memory of 936	1328	y5008690.exe	96
PID 1328 wrote to memory of 936	1328	y5008690.exe	96
PID 1328 wrote to memory of 936	1328	y5008690.exe	96

C:\Users\Admin\AppData\Local\Temp\17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe
"C:\Users\Admin\AppData\Local\Temp\17f6f5edd88d09d660bf48a9a49ee87c9b3a45c8191080ee7c829eb48033728f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1463303.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1463303.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5008690.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5008690.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0223437.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0223437.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9460393.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9460393.exe
      4⤵
      Executes dropped EXE
      PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1463303.exe

Filesize
767KB

MD5
591657eac5b8267c97397fe8122e9c36

SHA1
efce7d10d08254715f103c9e418c8e22f003a6b2

SHA256
c7ab6fe36797dcbbc68fff8945c57958619e8ddce505f755fe03f651e67a01f5

SHA512
55acf5ee2056dd5b3936badfc5b4a6378d8dc6baddd4d4f38dcca6910e15bae84c659da3fda1a1c0b14bf0f1a07baf3c76a1bcebb15e59034611f8ffeca65684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1463303.exe

Filesize
767KB

MD5
591657eac5b8267c97397fe8122e9c36

SHA1
efce7d10d08254715f103c9e418c8e22f003a6b2

SHA256
c7ab6fe36797dcbbc68fff8945c57958619e8ddce505f755fe03f651e67a01f5

SHA512
55acf5ee2056dd5b3936badfc5b4a6378d8dc6baddd4d4f38dcca6910e15bae84c659da3fda1a1c0b14bf0f1a07baf3c76a1bcebb15e59034611f8ffeca65684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5008690.exe

Filesize
583KB

MD5
a2616ee743d6b73c196fa16a16b9baec

SHA1
e0df040e83077580512ce9e32fa1ebb3197b9cb4

SHA256
92c551e3112b0775c8a0701f999429227a9789262abf2c0a0d25c078443767e5

SHA512
400d4aaa47a8ca4ea51834ed0ce65219e86832973fb3ebb91386553d791a4b5f052a1f1ff573d17cd93f8d71c9ae16d0668de138e7d3915769ab1c97acf1312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5008690.exe

Filesize
583KB

MD5
a2616ee743d6b73c196fa16a16b9baec

SHA1
e0df040e83077580512ce9e32fa1ebb3197b9cb4

SHA256
92c551e3112b0775c8a0701f999429227a9789262abf2c0a0d25c078443767e5

SHA512
400d4aaa47a8ca4ea51834ed0ce65219e86832973fb3ebb91386553d791a4b5f052a1f1ff573d17cd93f8d71c9ae16d0668de138e7d3915769ab1c97acf1312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0223437.exe

Filesize
295KB

MD5
4af56ef41f14b9ed23fa657d00388303

SHA1
eca7bf86c486425fd0e50434ce2496657b622788

SHA256
f60e0c8a536d07143c7ddc30156081a3e1da0600bc7a760b40a468b992628205

SHA512
fcdaf0484255e31b532046a3185fe7ff10ba14efeed6e5419b2f7256aff840b87ac9af110e19b00f7fb6be86fe744d2025e1fa31998431722412275c922ed5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0223437.exe

Filesize
295KB

MD5
4af56ef41f14b9ed23fa657d00388303

SHA1
eca7bf86c486425fd0e50434ce2496657b622788

SHA256
f60e0c8a536d07143c7ddc30156081a3e1da0600bc7a760b40a468b992628205

SHA512
fcdaf0484255e31b532046a3185fe7ff10ba14efeed6e5419b2f7256aff840b87ac9af110e19b00f7fb6be86fe744d2025e1fa31998431722412275c922ed5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9460393.exe

Filesize
493KB

MD5
da2420d60e5c2ae7273a6f3f2815f97c

SHA1
af393a7d0493d084192f508bd5aef5de155b6ca8

SHA256
9d53d5950ee6eb470506c8bb69d98e3bd8e0cb97b9c1672a2b51e83901824286

SHA512
ad4cb9020bdb27d4b541e0f6cb2dfe8eab96680a7891d2c6c86249c9b53324b576c8b39a5575a2556a63f3731201815283ca26ccbae40e73b1a29f5a24bdc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9460393.exe

Filesize
493KB

MD5
da2420d60e5c2ae7273a6f3f2815f97c

SHA1
af393a7d0493d084192f508bd5aef5de155b6ca8

SHA256
9d53d5950ee6eb470506c8bb69d98e3bd8e0cb97b9c1672a2b51e83901824286

SHA512
ad4cb9020bdb27d4b541e0f6cb2dfe8eab96680a7891d2c6c86249c9b53324b576c8b39a5575a2556a63f3731201815283ca26ccbae40e73b1a29f5a24bdc119

Download Submit
memory/936-183-0x0000000008660000-0x0000000008C78000-memory.dmp

Filesize
6.1MB

Download
memory/936-184-0x00000000080A0000-0x00000000081AA000-memory.dmp

Filesize
1.0MB

Download
memory/936-190-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

Filesize
64KB

Download
memory/936-189-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/936-188-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/936-187-0x00000000081F0000-0x000000000822C000-memory.dmp

Filesize
240KB

Download
memory/936-186-0x00000000081D0000-0x00000000081E2000-memory.dmp

Filesize
72KB

Download
memory/936-172-0x00000000005F0000-0x000000000067C000-memory.dmp

Filesize
560KB

Download
memory/936-173-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/936-185-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

Filesize
64KB

Download
memory/936-180-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/936-181-0x00000000005F0000-0x000000000067C000-memory.dmp

Filesize
560KB

Download
memory/4352-162-0x0000000000590000-0x00000000005CE000-memory.dmp

Filesize
248KB

Download
memory/4352-154-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4352-155-0x0000000000590000-0x00000000005CE000-memory.dmp

Filesize
248KB

Download
memory/4352-161-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4352-163-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4352-168-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4352-165-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4352-164-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download