healer | 86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6

Analysis

max time kernel
146s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2023, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe
Size

923KB
MD5

1112a012bb443fcab85189ecb2522ece
SHA1

2db270fbce2f6e90a49ab3c9598de9688e07ac52
SHA256

86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6
SHA512

d4a18fa2e6522a935e18f5b834bca7421146160600fb2fc626a7ff62de1993ea628ab9b333ede1a07dce6c4d45711e42306265394e76beb22d6db43a39d5e4c3
SSDEEP

24576:5yJ/hHEXJ4YVCt36QlFDW7uokv3o8sA+Nljt:sJ5HEZ4/u7uoaB+Nlj

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/168-146-0x00000000005C0000-0x00000000005FE000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7433252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7433252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7433252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7433252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7433252.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4284	y8552537.exe
3268	y1884165.exe
168	k7433252.exe
2396	l4642278.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7433252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7433252.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8552537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8552537.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1884165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1884165.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
168	k7433252.exe
168	k7433252.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	168	k7433252.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4284	4400	86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe	69
PID 4400 wrote to memory of 4284	4400	86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe	69
PID 4400 wrote to memory of 4284	4400	86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe	69
PID 4284 wrote to memory of 3268	4284	y8552537.exe	70
PID 4284 wrote to memory of 3268	4284	y8552537.exe	70
PID 4284 wrote to memory of 3268	4284	y8552537.exe	70
PID 3268 wrote to memory of 168	3268	y1884165.exe	71
PID 3268 wrote to memory of 168	3268	y1884165.exe	71
PID 3268 wrote to memory of 168	3268	y1884165.exe	71
PID 3268 wrote to memory of 2396	3268	y1884165.exe	73
PID 3268 wrote to memory of 2396	3268	y1884165.exe	73
PID 3268 wrote to memory of 2396	3268	y1884165.exe	73

C:\Users\Admin\AppData\Local\Temp\86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe
"C:\Users\Admin\AppData\Local\Temp\86251e324df4d4ace593e6db620a1087f06d90c6cc9544acfd8288d3caaa5da6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8552537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8552537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1884165.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1884165.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7433252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7433252.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4642278.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4642278.exe
      4⤵
      Executes dropped EXE
      PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8552537.exe

Filesize
768KB

MD5
3172b890b678cedf7683a922f9dfc02b

SHA1
03c30f6d32ebe7f256854265b7bb4d4c505e2586

SHA256
f71c66d8644bb2bab3d8c47fd84fe617d545675e95fa31475d28ffc552e85c37

SHA512
44127e7af5983b465610394eb9e7a27d16e5cd5ba67a15b4299309c1c9145f05def82ad33d89674bdc53d9ccd2b54b54dad1f1dffa57b71a8368d65ca887f9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8552537.exe

Filesize
768KB

MD5
3172b890b678cedf7683a922f9dfc02b

SHA1
03c30f6d32ebe7f256854265b7bb4d4c505e2586

SHA256
f71c66d8644bb2bab3d8c47fd84fe617d545675e95fa31475d28ffc552e85c37

SHA512
44127e7af5983b465610394eb9e7a27d16e5cd5ba67a15b4299309c1c9145f05def82ad33d89674bdc53d9ccd2b54b54dad1f1dffa57b71a8368d65ca887f9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1884165.exe

Filesize
584KB

MD5
ad39a49d27d2dfae83565a2f1e2d5c1a

SHA1
c3f6b114ee1d418aac405bbc80698e52dadd47d0

SHA256
7a081739628ce42b4683ae41b173ae521993aa5dad5feae35c4ca152ec2a3560

SHA512
411127ad26ed966087b5b3779bf62dd524337574ae04369a41fe9b3cef1393070adad7a81b0d0cf532bf5e8df3d91fab7830fe5783ce5e3db4d532e7352c169a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1884165.exe

Filesize
584KB

MD5
ad39a49d27d2dfae83565a2f1e2d5c1a

SHA1
c3f6b114ee1d418aac405bbc80698e52dadd47d0

SHA256
7a081739628ce42b4683ae41b173ae521993aa5dad5feae35c4ca152ec2a3560

SHA512
411127ad26ed966087b5b3779bf62dd524337574ae04369a41fe9b3cef1393070adad7a81b0d0cf532bf5e8df3d91fab7830fe5783ce5e3db4d532e7352c169a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7433252.exe

Filesize
295KB

MD5
93d571332d9d09a781c604fda02b020e

SHA1
2c8ac8a2b33eed8559849488617e781cf997d2a2

SHA256
e2e3f79503a7a89b5ff7217f2e596281f2177cf9581ec5833c3f4beab5b42eeb

SHA512
9b30e269f5a6c5df33be8619651e33c164daea2a3175fddd4fda444407da24e9eda3ea349535109b2631f2fc5684c12e4cccc68d650ea5e05b55a7721c9df823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7433252.exe

Filesize
295KB

MD5
93d571332d9d09a781c604fda02b020e

SHA1
2c8ac8a2b33eed8559849488617e781cf997d2a2

SHA256
e2e3f79503a7a89b5ff7217f2e596281f2177cf9581ec5833c3f4beab5b42eeb

SHA512
9b30e269f5a6c5df33be8619651e33c164daea2a3175fddd4fda444407da24e9eda3ea349535109b2631f2fc5684c12e4cccc68d650ea5e05b55a7721c9df823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4642278.exe

Filesize
492KB

MD5
0c72681fff16eb9f1d7489d38ad3e04c

SHA1
cf9f75c6b4012286a1466679ac002f7b24654cbc

SHA256
fef1d3542ae95c98bd077e5429df0cb6eee059109b73a0a2034eb06830fac796

SHA512
a31348a2ad8e661ba799d651f7e7199af13139038f3220b3b694300a1dd4f829077024562c9f100fc1012196ff721111043ed516242bfa22d06216b2d939acf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4642278.exe

Filesize
492KB

MD5
0c72681fff16eb9f1d7489d38ad3e04c

SHA1
cf9f75c6b4012286a1466679ac002f7b24654cbc

SHA256
fef1d3542ae95c98bd077e5429df0cb6eee059109b73a0a2034eb06830fac796

SHA512
a31348a2ad8e661ba799d651f7e7199af13139038f3220b3b694300a1dd4f829077024562c9f100fc1012196ff721111043ed516242bfa22d06216b2d939acf4

Download Submit
memory/168-139-0x00000000005C0000-0x00000000005FE000-memory.dmp

Filesize
248KB

Download
memory/168-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/168-148-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/168-151-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/168-146-0x00000000005C0000-0x00000000005FE000-memory.dmp

Filesize
248KB

Download
memory/168-145-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/168-147-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2396-163-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2396-155-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/2396-164-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/2396-166-0x00000000043B0000-0x00000000043B6000-memory.dmp

Filesize
24KB

Download
memory/2396-167-0x0000000006C60000-0x0000000007266000-memory.dmp

Filesize
6.0MB

Download
memory/2396-168-0x0000000007290000-0x000000000739A000-memory.dmp

Filesize
1.0MB

Download
memory/2396-169-0x00000000073C0000-0x00000000073D2000-memory.dmp

Filesize
72KB

Download
memory/2396-170-0x00000000073E0000-0x000000000741E000-memory.dmp

Filesize
248KB

Download
memory/2396-171-0x0000000007450000-0x000000000749B000-memory.dmp

Filesize
300KB

Download
memory/2396-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2396-173-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download