healer | 7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe
Size

1.0MB
MD5

dac4b47f69fd3f210e73abb91d1df91c
SHA1

750f72d423b937ea10d539b76d84148f7ad74d95
SHA256

7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383
SHA512

e51314a5fb3e3f573870fa6464f7365f6d5506f2fc0ceefe85a224822befeed9ad5742dead525bd26a6d8dc4c7dae1fa047f2716049f6978642afcd256cc79c8
SSDEEP

24576:Ay8zH9aAaeMFJb1P4hGhfBZULbkzAeKgNp6xRd:HiH9aA4LblOG/UFeBNgxR

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/memory/3760-169-0x0000000000490000-0x00000000004CE000-memory.dmp	healer
behavioral1/files/0x000700000002321b-176.dat	healer
behavioral1/files/0x000700000002321b-177.dat	healer
behavioral1/memory/2100-178-0x0000000000970000-0x000000000097A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2868225.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b3400539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b3400539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b3400539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b3400539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b3400539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b3400539.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4952	v4888122.exe
2952	v5936211.exe
2712	v6909287.exe
3760	a2868225.exe
2100	b3400539.exe
3864	c8272088.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2868225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b3400539.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4888122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4888122.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5936211.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5936211.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6909287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6909287.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3760	a2868225.exe
3760	a2868225.exe
2100	b3400539.exe
2100	b3400539.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	a2868225.exe
Token: SeDebugPrivilege	2100	b3400539.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4952	4328	7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe	86
PID 4328 wrote to memory of 4952	4328	7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe	86
PID 4328 wrote to memory of 4952	4328	7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe	86
PID 4952 wrote to memory of 2952	4952	v4888122.exe	87
PID 4952 wrote to memory of 2952	4952	v4888122.exe	87
PID 4952 wrote to memory of 2952	4952	v4888122.exe	87
PID 2952 wrote to memory of 2712	2952	v5936211.exe	88
PID 2952 wrote to memory of 2712	2952	v5936211.exe	88
PID 2952 wrote to memory of 2712	2952	v5936211.exe	88
PID 2712 wrote to memory of 3760	2712	v6909287.exe	89
PID 2712 wrote to memory of 3760	2712	v6909287.exe	89
PID 2712 wrote to memory of 3760	2712	v6909287.exe	89
PID 2712 wrote to memory of 2100	2712	v6909287.exe	97
PID 2712 wrote to memory of 2100	2712	v6909287.exe	97
PID 2952 wrote to memory of 3864	2952	v5936211.exe	98
PID 2952 wrote to memory of 3864	2952	v5936211.exe	98
PID 2952 wrote to memory of 3864	2952	v5936211.exe	98

C:\Users\Admin\AppData\Local\Temp\7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe
"C:\Users\Admin\AppData\Local\Temp\7dd60db1b044fec2a7f11fbee2c3ebd03eff1a358644f596eda1c68a69356383.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4888122.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4888122.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5936211.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5936211.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6909287.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6909287.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2868225.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2868225.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3400539.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3400539.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8272088.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8272088.exe
      4⤵
      Executes dropped EXE
      PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4888122.exe

Filesize
906KB

MD5
88fb6d5375047a4fadc30e05c3f9601b

SHA1
cea8b8095acb25165fc0b5b0ab27acd39b401dcf

SHA256
35fea5e4395b6a83a5f12e29f416ccd055a7acd7d66856b889d999d4dd35f696

SHA512
de05795ce20182f73ab6bc03ac5776f5b35513e8c61e0dc1752b842f980491139fe8999785edd650d496fc50b7f76dcc5e6729d901a8ab6620e216f1c7499022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4888122.exe

Filesize
906KB

MD5
88fb6d5375047a4fadc30e05c3f9601b

SHA1
cea8b8095acb25165fc0b5b0ab27acd39b401dcf

SHA256
35fea5e4395b6a83a5f12e29f416ccd055a7acd7d66856b889d999d4dd35f696

SHA512
de05795ce20182f73ab6bc03ac5776f5b35513e8c61e0dc1752b842f980491139fe8999785edd650d496fc50b7f76dcc5e6729d901a8ab6620e216f1c7499022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5936211.exe

Filesize
722KB

MD5
17275fca2b7ed6caff751584b367136d

SHA1
05addcd2bff4629831a6e779c27c5d037ab17ff0

SHA256
007ec016e5d18adf924815116f28b3571455dc2102f0d52590188d7b5037b487

SHA512
cbd62fb69bce31c3e460de33455e65be0085cb2d663402309e85d9f97a170fa7c4ce34d1f124f8a70ad0339d195c3b2b6ff03e0120608ac70b665c94ffcf2c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5936211.exe

Filesize
722KB

MD5
17275fca2b7ed6caff751584b367136d

SHA1
05addcd2bff4629831a6e779c27c5d037ab17ff0

SHA256
007ec016e5d18adf924815116f28b3571455dc2102f0d52590188d7b5037b487

SHA512
cbd62fb69bce31c3e460de33455e65be0085cb2d663402309e85d9f97a170fa7c4ce34d1f124f8a70ad0339d195c3b2b6ff03e0120608ac70b665c94ffcf2c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8272088.exe

Filesize
494KB

MD5
a7b8f7db01120b1f978c730168c9fced

SHA1
01850e41f9c14622d1a8c13dc8502dbba8d8dcf7

SHA256
700a3f1fe8aab1e4c945b9cbcf20d240c7cc424dcf2a84f962f4b02ab18b438c

SHA512
a797db3e12e9729f171705dbc8aa8420d261eaba452adb50e691880dd7e8a368399df78c32458554b164239cc2949c5cf9f4c3c6a29a13b481d997099b04fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8272088.exe

Filesize
494KB

MD5
a7b8f7db01120b1f978c730168c9fced

SHA1
01850e41f9c14622d1a8c13dc8502dbba8d8dcf7

SHA256
700a3f1fe8aab1e4c945b9cbcf20d240c7cc424dcf2a84f962f4b02ab18b438c

SHA512
a797db3e12e9729f171705dbc8aa8420d261eaba452adb50e691880dd7e8a368399df78c32458554b164239cc2949c5cf9f4c3c6a29a13b481d997099b04fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6909287.exe

Filesize
322KB

MD5
f0b5627369d6a6f41217ca4d821d0086

SHA1
a6b86e4701787398e2ade51d57cb1a604487fc68

SHA256
43d544402becc4065aefdf50b19e1d1ce9b0742ab97e7832504a756b92a8ec4e

SHA512
dcd4bd38a6a18339cde7e021bbcc89f3e91adf20479c479fac22f118e7033246c3eef4c008701cd67793d047e9db886a6f5af195d581402f1c8f90ad811e2c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6909287.exe

Filesize
322KB

MD5
f0b5627369d6a6f41217ca4d821d0086

SHA1
a6b86e4701787398e2ade51d57cb1a604487fc68

SHA256
43d544402becc4065aefdf50b19e1d1ce9b0742ab97e7832504a756b92a8ec4e

SHA512
dcd4bd38a6a18339cde7e021bbcc89f3e91adf20479c479fac22f118e7033246c3eef4c008701cd67793d047e9db886a6f5af195d581402f1c8f90ad811e2c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2868225.exe

Filesize
291KB

MD5
e9d330ce8723ef9c3e925de534ef41ab

SHA1
42185099676575f3a35726d7a659b90823daaea6

SHA256
824d471052161282e9f6b36ecabdc2893d9e4dba619cc4008fc0499e2418f638

SHA512
22dc9462aab98beaf63ad62940fa3bde351f5719408029b0e9af2033c65e34d86c87357e522aa34147156f3bbd38e5d41823582157193b7dced1aeb23360d92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2868225.exe

Filesize
291KB

MD5
e9d330ce8723ef9c3e925de534ef41ab

SHA1
42185099676575f3a35726d7a659b90823daaea6

SHA256
824d471052161282e9f6b36ecabdc2893d9e4dba619cc4008fc0499e2418f638

SHA512
22dc9462aab98beaf63ad62940fa3bde351f5719408029b0e9af2033c65e34d86c87357e522aa34147156f3bbd38e5d41823582157193b7dced1aeb23360d92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3400539.exe

Filesize
11KB

MD5
256541c79ebd537a8cfc6f7787a03205

SHA1
5ce13e898d5fbdf25295c5f94e1a6197e7362030

SHA256
e585d958c3e06f068d612e8bee2618222fadd4da63a98d58869242c9e5faf0ff

SHA512
3267ef7a2598216f827c6f7f0e3da6ec8f99acddfd9a6cd711e8b8cbbe2ef19083fcf03da7619d780044a0cd6cc8a8bc668455fe799fba86fe942fe03e2eee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3400539.exe

Filesize
11KB

MD5
256541c79ebd537a8cfc6f7787a03205

SHA1
5ce13e898d5fbdf25295c5f94e1a6197e7362030

SHA256
e585d958c3e06f068d612e8bee2618222fadd4da63a98d58869242c9e5faf0ff

SHA512
3267ef7a2598216f827c6f7f0e3da6ec8f99acddfd9a6cd711e8b8cbbe2ef19083fcf03da7619d780044a0cd6cc8a8bc668455fe799fba86fe942fe03e2eee83

Download Submit
memory/2100-178-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/2100-179-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/2100-181-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/3760-171-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3760-174-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3760-170-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3760-169-0x0000000000490000-0x00000000004CE000-memory.dmp

Filesize
248KB

Download
memory/3760-168-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3760-161-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3760-162-0x0000000000490000-0x00000000004CE000-memory.dmp

Filesize
248KB

Download
memory/3864-185-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3864-186-0x0000000002040000-0x00000000020CC000-memory.dmp

Filesize
560KB

Download
memory/3864-193-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3864-194-0x0000000002040000-0x00000000020CC000-memory.dmp

Filesize
560KB

Download
memory/3864-196-0x0000000006D10000-0x0000000007328000-memory.dmp

Filesize
6.1MB

Download
memory/3864-197-0x0000000007330000-0x000000000743A000-memory.dmp

Filesize
1.0MB

Download
memory/3864-199-0x0000000007440000-0x0000000007452000-memory.dmp

Filesize
72KB

Download
memory/3864-198-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/3864-200-0x0000000007460000-0x000000000749C000-memory.dmp

Filesize
240KB

Download
memory/3864-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3864-202-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3864-203-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download