healer | ad35bb7963ea0b1fb139753b9c2909b450819b7ddaa71afaad739e25b7b09c3a

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
Size

921KB
MD5

178196d8dfa73e1c0bf651fd68adda63
SHA1

55b9963cbcd4e3cfa5d9f341d3721a7e1329b399
SHA256

c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2
SHA512

8b02ccbe810507afe7c91d590b4190cc955aec5b490d6df34898654cd6b45e79b279e5ebd616f523a9ab267f300bc8e81e1fd4d5f0d6591914819984481c5bb7
SSDEEP

24576:vylvFm1nHy+gdB5SLmmjFTx29h6hsE00:6lvFKH84zhx2X6

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2060-93-0x0000000000250000-0x000000000028E000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0024126.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0024126.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2620	y6931586.exe
2180	y6329177.exe
2060	k0024126.exe
2360	l7268588.exe

Loads dropped DLL 10 IoCs

pid	Process
1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
2620	y6931586.exe
2620	y6931586.exe
2180	y6329177.exe
2180	y6329177.exe
2180	y6329177.exe
2060	k0024126.exe
2180	y6329177.exe
2180	y6329177.exe
2360	l7268588.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0024126.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6931586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6931586.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6329177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6329177.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	k0024126.exe
2060	k0024126.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	k0024126.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 1860 wrote to memory of 2620	1860	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	28
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2620 wrote to memory of 2180	2620	y6931586.exe	29
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2060	2180	y6329177.exe	30
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32
PID 2180 wrote to memory of 2360	2180	y6329177.exe	32

C:\Users\Admin\AppData\Local\Temp\c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
"C:\Users\Admin\AppData\Local\Temp\c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe

Filesize
766KB

MD5
50343b413c78b6507b7d9b001d68c597

SHA1
65294032e79011d4b3f912ee70dc2e6480fdd461

SHA256
4389861d81d449d0628534dcc64d93b98af00a7325be4baae42839f9f0237d77

SHA512
c8cebb8ef38effceda9c22939831853ba45558de614d3956c8bb326c5e84416eea13244a5584d199143081102f239812a8dc86ed2e955fbf0d7eb1b360876a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe

Filesize
766KB

MD5
50343b413c78b6507b7d9b001d68c597

SHA1
65294032e79011d4b3f912ee70dc2e6480fdd461

SHA256
4389861d81d449d0628534dcc64d93b98af00a7325be4baae42839f9f0237d77

SHA512
c8cebb8ef38effceda9c22939831853ba45558de614d3956c8bb326c5e84416eea13244a5584d199143081102f239812a8dc86ed2e955fbf0d7eb1b360876a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe

Filesize
583KB

MD5
586797a184a54cec02dc959b95bafbfe

SHA1
92653b409ce60665ebbf7d5563eb292c615932ee

SHA256
56377374f7b289be615e07af60d603b8e864cd03fa080050273137475ffcb013

SHA512
52d12fd435fd2317536ce94fad1edd8aaf58f943557e7f740f5335bf3633e8d2cc9349b0553cff7fa775f715c7af8c938611281b5a79ba0737e5d766b841f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe

Filesize
583KB

MD5
586797a184a54cec02dc959b95bafbfe

SHA1
92653b409ce60665ebbf7d5563eb292c615932ee

SHA256
56377374f7b289be615e07af60d603b8e864cd03fa080050273137475ffcb013

SHA512
52d12fd435fd2317536ce94fad1edd8aaf58f943557e7f740f5335bf3633e8d2cc9349b0553cff7fa775f715c7af8c938611281b5a79ba0737e5d766b841f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe

Filesize
766KB

MD5
50343b413c78b6507b7d9b001d68c597

SHA1
65294032e79011d4b3f912ee70dc2e6480fdd461

SHA256
4389861d81d449d0628534dcc64d93b98af00a7325be4baae42839f9f0237d77

SHA512
c8cebb8ef38effceda9c22939831853ba45558de614d3956c8bb326c5e84416eea13244a5584d199143081102f239812a8dc86ed2e955fbf0d7eb1b360876a5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe

Filesize
766KB

MD5
50343b413c78b6507b7d9b001d68c597

SHA1
65294032e79011d4b3f912ee70dc2e6480fdd461

SHA256
4389861d81d449d0628534dcc64d93b98af00a7325be4baae42839f9f0237d77

SHA512
c8cebb8ef38effceda9c22939831853ba45558de614d3956c8bb326c5e84416eea13244a5584d199143081102f239812a8dc86ed2e955fbf0d7eb1b360876a5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe

Filesize
583KB

MD5
586797a184a54cec02dc959b95bafbfe

SHA1
92653b409ce60665ebbf7d5563eb292c615932ee

SHA256
56377374f7b289be615e07af60d603b8e864cd03fa080050273137475ffcb013

SHA512
52d12fd435fd2317536ce94fad1edd8aaf58f943557e7f740f5335bf3633e8d2cc9349b0553cff7fa775f715c7af8c938611281b5a79ba0737e5d766b841f195

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe

Filesize
583KB

MD5
586797a184a54cec02dc959b95bafbfe

SHA1
92653b409ce60665ebbf7d5563eb292c615932ee

SHA256
56377374f7b289be615e07af60d603b8e864cd03fa080050273137475ffcb013

SHA512
52d12fd435fd2317536ce94fad1edd8aaf58f943557e7f740f5335bf3633e8d2cc9349b0553cff7fa775f715c7af8c938611281b5a79ba0737e5d766b841f195

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
memory/2060-95-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2060-94-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2060-93-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2060-86-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2060-87-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2360-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-106-0x0000000000480000-0x000000000050C000-memory.dmp

Filesize
560KB

Download
memory/2360-113-0x0000000000480000-0x000000000050C000-memory.dmp

Filesize
560KB

Download
memory/2360-115-0x0000000001F70000-0x0000000001F76000-memory.dmp

Filesize
24KB

Download
memory/2360-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download