healer | c3b477707f7f72c4d00ae1a27a116b67737b686c7d3cdb5f853589e7deebf75c

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 07:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15710c203f130f4a93b60acb6f086cad.exe
Size

919KB
MD5

15710c203f130f4a93b60acb6f086cad
SHA1

0f5b53544cbb5983dc7e6767d1c2685c88196983
SHA256

c3b477707f7f72c4d00ae1a27a116b67737b686c7d3cdb5f853589e7deebf75c
SHA512

65b0bd28f1f148eb4df1031336275ddcf77a80e2620304bf2e67152b36caec720eae074d33718c7b7b5768446f2e8986a54dd6b0f9e14afa7d6091126d1a164a
SSDEEP

24576:nytJ32CAhkwuPIgEVUTsbhdfJzqOqai74Hb:yr32xexnAv1Ti

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2952-94-0x0000000000280000-0x00000000002BE000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k2395154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2395154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2395154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2395154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2395154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2395154.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2540	y1084034.exe
3000	y7744913.exe
2952	k2395154.exe
1956	l3010697.exe

Loads dropped DLL 10 IoCs

pid	Process
2332	15710c203f130f4a93b60acb6f086cad.exe
2540	y1084034.exe
2540	y1084034.exe
3000	y7744913.exe
3000	y7744913.exe
3000	y7744913.exe
2952	k2395154.exe
3000	y7744913.exe
3000	y7744913.exe
1956	l3010697.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k2395154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2395154.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1084034.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1084034.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7744913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7744913.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	15710c203f130f4a93b60acb6f086cad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15710c203f130f4a93b60acb6f086cad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	k2395154.exe
2952	k2395154.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	k2395154.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2332 wrote to memory of 2540	2332	15710c203f130f4a93b60acb6f086cad.exe	28
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 2540 wrote to memory of 3000	2540	y1084034.exe	29
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 2952	3000	y7744913.exe	30
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32
PID 3000 wrote to memory of 1956	3000	y7744913.exe	32

C:\Users\Admin\AppData\Local\Temp\15710c203f130f4a93b60acb6f086cad.exe
"C:\Users\Admin\AppData\Local\Temp\15710c203f130f4a93b60acb6f086cad.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe

Filesize
764KB

MD5
31694c9957cb39c7bddf4e7061453171

SHA1
44ecaee95fc1db0c15b2a13506079456eabc6da2

SHA256
da490e125508e80c40818dae6ac540467eac6a42e3f1ac89ac0e822f049b2dcb

SHA512
b3e817e0aa0a15611184996d11ee178f74eaf7aeb6f0d3c84b6099f58d40456c6b99e39ff6d9f884a4d219fcb436c6ae1a834ce34b71d6ae20c45297facea818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe

Filesize
764KB

MD5
31694c9957cb39c7bddf4e7061453171

SHA1
44ecaee95fc1db0c15b2a13506079456eabc6da2

SHA256
da490e125508e80c40818dae6ac540467eac6a42e3f1ac89ac0e822f049b2dcb

SHA512
b3e817e0aa0a15611184996d11ee178f74eaf7aeb6f0d3c84b6099f58d40456c6b99e39ff6d9f884a4d219fcb436c6ae1a834ce34b71d6ae20c45297facea818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe

Filesize
580KB

MD5
a6efc9ddfe3fa7231aa75dde4b62235e

SHA1
f1bbff60f10a12890258a8282a0589289fdf8b0d

SHA256
89e1873906960a4d76729d7e6a90b36a5349fb7caad6cb7278023f4cd0e77dc2

SHA512
0ed350cedd3e10b8d5053cb21c6d6ade57e0090f1643fb65ab2f5c661506187587bcb7a4c6c472dad57625784e5487a94d7f77906905afdd28c11f5fcacc6764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe

Filesize
580KB

MD5
a6efc9ddfe3fa7231aa75dde4b62235e

SHA1
f1bbff60f10a12890258a8282a0589289fdf8b0d

SHA256
89e1873906960a4d76729d7e6a90b36a5349fb7caad6cb7278023f4cd0e77dc2

SHA512
0ed350cedd3e10b8d5053cb21c6d6ade57e0090f1643fb65ab2f5c661506187587bcb7a4c6c472dad57625784e5487a94d7f77906905afdd28c11f5fcacc6764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe

Filesize
295KB

MD5
b182bd82d257cbad31f3174b8d656606

SHA1
71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

SHA256
519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

SHA512
8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe

Filesize
295KB

MD5
b182bd82d257cbad31f3174b8d656606

SHA1
71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

SHA256
519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

SHA512
8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe

Filesize
295KB

MD5
b182bd82d257cbad31f3174b8d656606

SHA1
71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

SHA256
519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

SHA512
8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe

Filesize
491KB

MD5
2520b7b7693db3306433a9654b4723db

SHA1
37c3517f1de3fc28c1f81bf734397d72dee87901

SHA256
e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

SHA512
be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe

Filesize
491KB

MD5
2520b7b7693db3306433a9654b4723db

SHA1
37c3517f1de3fc28c1f81bf734397d72dee87901

SHA256
e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

SHA512
be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe

Filesize
491KB

MD5
2520b7b7693db3306433a9654b4723db

SHA1
37c3517f1de3fc28c1f81bf734397d72dee87901

SHA256
e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

SHA512
be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe

Filesize
764KB

MD5
31694c9957cb39c7bddf4e7061453171

SHA1
44ecaee95fc1db0c15b2a13506079456eabc6da2

SHA256
da490e125508e80c40818dae6ac540467eac6a42e3f1ac89ac0e822f049b2dcb

SHA512
b3e817e0aa0a15611184996d11ee178f74eaf7aeb6f0d3c84b6099f58d40456c6b99e39ff6d9f884a4d219fcb436c6ae1a834ce34b71d6ae20c45297facea818

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1084034.exe

Filesize
764KB

MD5
31694c9957cb39c7bddf4e7061453171

SHA1
44ecaee95fc1db0c15b2a13506079456eabc6da2

SHA256
da490e125508e80c40818dae6ac540467eac6a42e3f1ac89ac0e822f049b2dcb

SHA512
b3e817e0aa0a15611184996d11ee178f74eaf7aeb6f0d3c84b6099f58d40456c6b99e39ff6d9f884a4d219fcb436c6ae1a834ce34b71d6ae20c45297facea818

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe

Filesize
580KB

MD5
a6efc9ddfe3fa7231aa75dde4b62235e

SHA1
f1bbff60f10a12890258a8282a0589289fdf8b0d

SHA256
89e1873906960a4d76729d7e6a90b36a5349fb7caad6cb7278023f4cd0e77dc2

SHA512
0ed350cedd3e10b8d5053cb21c6d6ade57e0090f1643fb65ab2f5c661506187587bcb7a4c6c472dad57625784e5487a94d7f77906905afdd28c11f5fcacc6764

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7744913.exe

Filesize
580KB

MD5
a6efc9ddfe3fa7231aa75dde4b62235e

SHA1
f1bbff60f10a12890258a8282a0589289fdf8b0d

SHA256
89e1873906960a4d76729d7e6a90b36a5349fb7caad6cb7278023f4cd0e77dc2

SHA512
0ed350cedd3e10b8d5053cb21c6d6ade57e0090f1643fb65ab2f5c661506187587bcb7a4c6c472dad57625784e5487a94d7f77906905afdd28c11f5fcacc6764

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe

Filesize
295KB

MD5
b182bd82d257cbad31f3174b8d656606

SHA1
71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

SHA256
519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

SHA512
8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe

Filesize
295KB

MD5
b182bd82d257cbad31f3174b8d656606

SHA1
71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

SHA256
519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

SHA512
8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2395154.exe

Filesize
295KB

MD5
b182bd82d257cbad31f3174b8d656606

SHA1
71fa6e0db8da1b6fc62fdd7565cd705b5dce9990

SHA256
519c4d6a87809567c9ae3829952dec10a6ebefb7780c07b97dea17076468c53b

SHA512
8102f2f855da51e4b388f0f19eab6e4d181bb610234c6552e77fd0f6c2ac17c90eeb9d1acd0610c930c5df428197b50307cc29fbbb122f555da91ee8ecf8c890

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe

Filesize
491KB

MD5
2520b7b7693db3306433a9654b4723db

SHA1
37c3517f1de3fc28c1f81bf734397d72dee87901

SHA256
e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

SHA512
be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe

Filesize
491KB

MD5
2520b7b7693db3306433a9654b4723db

SHA1
37c3517f1de3fc28c1f81bf734397d72dee87901

SHA256
e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

SHA512
be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3010697.exe

Filesize
491KB

MD5
2520b7b7693db3306433a9654b4723db

SHA1
37c3517f1de3fc28c1f81bf734397d72dee87901

SHA256
e135b045056084de971f0240c00edc7434965fce03e8d5d8654df52c206b1be6

SHA512
be0ddbf68d9792866a0d4d4660650e52a0f9de10dd5c022f0cad61c2ea38db93170d300e6a41c0c6e9cfcdbd602987f2b962de8b8fdafef27c9aebe994fabf62

Download Submit
memory/1956-108-0x00000000002D0000-0x000000000035C000-memory.dmp

Filesize
560KB

Download
memory/1956-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-114-0x00000000002D0000-0x000000000035C000-memory.dmp

Filesize
560KB

Download
memory/1956-116-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

Filesize
24KB

Download
memory/1956-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2952-96-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2952-94-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2952-95-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2952-88-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2952-87-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download