healer | 627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4266390a3e460f4dbe90ce7d9d091d2b.exe
Size

921KB
MD5

4266390a3e460f4dbe90ce7d9d091d2b
SHA1

16bf185400157eaae1561b62196add6bca53b84a
SHA256

627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9
SHA512

be25bfb86b8ef7a9f13a9e770e35e4273132920989e37a02fc90887d61208461d41b1b5e0dc419e6a1e53491c6243ad5221040d3f7d854c9b9496f3a19fe54fd
SSDEEP

12288:EMrBy90qgmVH2qW5mA+49iYIvuPRQ3ijJbcrmVVhlheKO83eRs850M2ztvv:ty7gmx2qW5mSVPRQAJlzD/GIv

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4444-162-0x0000000001F60000-0x0000000001F9E000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5131175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5131175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5131175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5131175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5131175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5131175.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2268	y7974264.exe
1036	y4610638.exe
4444	k5131175.exe
4760	l1966405.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5131175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5131175.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7974264.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4610638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4610638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4266390a3e460f4dbe90ce7d9d091d2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4266390a3e460f4dbe90ce7d9d091d2b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7974264.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	k5131175.exe
4444	k5131175.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	k5131175.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2268	208	4266390a3e460f4dbe90ce7d9d091d2b.exe	86
PID 208 wrote to memory of 2268	208	4266390a3e460f4dbe90ce7d9d091d2b.exe	86
PID 208 wrote to memory of 2268	208	4266390a3e460f4dbe90ce7d9d091d2b.exe	86
PID 2268 wrote to memory of 1036	2268	y7974264.exe	87
PID 2268 wrote to memory of 1036	2268	y7974264.exe	87
PID 2268 wrote to memory of 1036	2268	y7974264.exe	87
PID 1036 wrote to memory of 4444	1036	y4610638.exe	88
PID 1036 wrote to memory of 4444	1036	y4610638.exe	88
PID 1036 wrote to memory of 4444	1036	y4610638.exe	88
PID 1036 wrote to memory of 4760	1036	y4610638.exe	94
PID 1036 wrote to memory of 4760	1036	y4610638.exe	94
PID 1036 wrote to memory of 4760	1036	y4610638.exe	94

C:\Users\Admin\AppData\Local\Temp\4266390a3e460f4dbe90ce7d9d091d2b.exe
"C:\Users\Admin\AppData\Local\Temp\4266390a3e460f4dbe90ce7d9d091d2b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe
      4⤵
      Executes dropped EXE
      PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe

Filesize
766KB

MD5
dce92bfe290f2bfc8fcdaa8d79cfb428

SHA1
821836e9a2a75af557dc76b876d24cd2f29402b2

SHA256
1111e92ca559d16e157e3b9f162502a32061cfd7418cdf8da2ae2337b4a552d1

SHA512
bbe7210caa78acf6df00164ccee955ce79dc4c77fb71fc780243239936c7c1b7a01f59ccda25981bc3915ba127028bfc0c6ce6469c2a920fbc54fce6e01b73a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe

Filesize
766KB

MD5
dce92bfe290f2bfc8fcdaa8d79cfb428

SHA1
821836e9a2a75af557dc76b876d24cd2f29402b2

SHA256
1111e92ca559d16e157e3b9f162502a32061cfd7418cdf8da2ae2337b4a552d1

SHA512
bbe7210caa78acf6df00164ccee955ce79dc4c77fb71fc780243239936c7c1b7a01f59ccda25981bc3915ba127028bfc0c6ce6469c2a920fbc54fce6e01b73a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe

Filesize
583KB

MD5
c3a728452be74e46d86fcc43e340e0c7

SHA1
398d2ea4ede704d9634e73d8050c9bf4c2e78931

SHA256
ac29c80de2d63a3c7aa65b0cc01240c9e3ca6d8d5c57a99cb2a24d4bad04d664

SHA512
f726c838bf300f0bb0a91cf88e1bd80aaee2e7f4b6e36b74a2df10407c8328a06b9f5e65ce856a94d88079b07139a78efcada57dde97048304eead99466f58f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe

Filesize
583KB

MD5
c3a728452be74e46d86fcc43e340e0c7

SHA1
398d2ea4ede704d9634e73d8050c9bf4c2e78931

SHA256
ac29c80de2d63a3c7aa65b0cc01240c9e3ca6d8d5c57a99cb2a24d4bad04d664

SHA512
f726c838bf300f0bb0a91cf88e1bd80aaee2e7f4b6e36b74a2df10407c8328a06b9f5e65ce856a94d88079b07139a78efcada57dde97048304eead99466f58f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe

Filesize
294KB

MD5
0051f204743bf30a487630bccbe89d83

SHA1
bd044684a695e3b660e2caecc04c509547ffff6c

SHA256
1e47d6f87dad561d141323a430f88acaf6efdd7db516cf552a46d791454c49d5

SHA512
821893692261d68a3e03c5bb6fd6bfcd483c2a3e09da6fae99b8880e6feb0bb55e3a379a3d7a93d6a601fc9d3a6fe05e989b2fdf316b8252787ceed4e574456f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe

Filesize
294KB

MD5
0051f204743bf30a487630bccbe89d83

SHA1
bd044684a695e3b660e2caecc04c509547ffff6c

SHA256
1e47d6f87dad561d141323a430f88acaf6efdd7db516cf552a46d791454c49d5

SHA512
821893692261d68a3e03c5bb6fd6bfcd483c2a3e09da6fae99b8880e6feb0bb55e3a379a3d7a93d6a601fc9d3a6fe05e989b2fdf316b8252787ceed4e574456f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe

Filesize
492KB

MD5
4ea677b1f5913f8b1d657574f8d52fdb

SHA1
1758af24eacb654e8f89c70f156c8021c0252870

SHA256
9322b7c8ce8041c56014fe9831c2127493924b1dd65468d994a76273f40ada58

SHA512
fa9418a8fca76d7780980c064ef5783046faa580587e9f88f8c439b15afba5984f44865341b45d20c97ac1df16a2e05a3c20ebc170fcb17e08adf5e9029e7544

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe

Filesize
492KB

MD5
4ea677b1f5913f8b1d657574f8d52fdb

SHA1
1758af24eacb654e8f89c70f156c8021c0252870

SHA256
9322b7c8ce8041c56014fe9831c2127493924b1dd65468d994a76273f40ada58

SHA512
fa9418a8fca76d7780980c064ef5783046faa580587e9f88f8c439b15afba5984f44865341b45d20c97ac1df16a2e05a3c20ebc170fcb17e08adf5e9029e7544

Download Submit
memory/4444-167-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4444-154-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4444-164-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4444-162-0x0000000001F60000-0x0000000001F9E000-memory.dmp

Filesize
248KB

Download
memory/4444-161-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4444-155-0x0000000001F60000-0x0000000001F9E000-memory.dmp

Filesize
248KB

Download
memory/4444-163-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4760-179-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4760-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4760-171-0x00000000006D0000-0x000000000075C000-memory.dmp

Filesize
560KB

Download
memory/4760-180-0x00000000006D0000-0x000000000075C000-memory.dmp

Filesize
560KB

Download
memory/4760-182-0x0000000004B20000-0x0000000005138000-memory.dmp

Filesize
6.1MB

Download
memory/4760-183-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/4760-184-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download
memory/4760-185-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/4760-186-0x0000000005320000-0x000000000535C000-memory.dmp

Filesize
240KB

Download
memory/4760-187-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4760-188-0x0000000006D10000-0x0000000006D20000-memory.dmp

Filesize
64KB

Download