healer | ad35bb7963ea0b1fb139753b9c2909b450819b7ddaa71afaad739e25b7b09c3a

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
Size

921KB
MD5

178196d8dfa73e1c0bf651fd68adda63
SHA1

55b9963cbcd4e3cfa5d9f341d3721a7e1329b399
SHA256

c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2
SHA512

8b02ccbe810507afe7c91d590b4190cc955aec5b490d6df34898654cd6b45e79b279e5ebd616f523a9ab267f300bc8e81e1fd4d5f0d6591914819984481c5bb7
SSDEEP

24576:vylvFm1nHy+gdB5SLmmjFTx29h6hsE00:6lvFKH84zhx2X6

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1648-162-0x00000000005B0000-0x00000000005EE000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0024126.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0024126.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2076	y6931586.exe
3064	y6329177.exe
1648	k0024126.exe
1748	l7268588.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0024126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0024126.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6931586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6931586.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6329177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6329177.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	k0024126.exe
1648	k0024126.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	k0024126.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 2076	3120	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	85
PID 3120 wrote to memory of 2076	3120	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	85
PID 3120 wrote to memory of 2076	3120	c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe	85
PID 2076 wrote to memory of 3064	2076	y6931586.exe	87
PID 2076 wrote to memory of 3064	2076	y6931586.exe	87
PID 2076 wrote to memory of 3064	2076	y6931586.exe	87
PID 3064 wrote to memory of 1648	3064	y6329177.exe	88
PID 3064 wrote to memory of 1648	3064	y6329177.exe	88
PID 3064 wrote to memory of 1648	3064	y6329177.exe	88
PID 3064 wrote to memory of 1748	3064	y6329177.exe	94
PID 3064 wrote to memory of 1748	3064	y6329177.exe	94
PID 3064 wrote to memory of 1748	3064	y6329177.exe	94

C:\Users\Admin\AppData\Local\Temp\c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe
"C:\Users\Admin\AppData\Local\Temp\c06277cec3a77b39a535e1f67da18b13a08a6980a441879d24941240708a7ff2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe
      4⤵
      Executes dropped EXE
      PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe

Filesize
766KB

MD5
50343b413c78b6507b7d9b001d68c597

SHA1
65294032e79011d4b3f912ee70dc2e6480fdd461

SHA256
4389861d81d449d0628534dcc64d93b98af00a7325be4baae42839f9f0237d77

SHA512
c8cebb8ef38effceda9c22939831853ba45558de614d3956c8bb326c5e84416eea13244a5584d199143081102f239812a8dc86ed2e955fbf0d7eb1b360876a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6931586.exe

Filesize
766KB

MD5
50343b413c78b6507b7d9b001d68c597

SHA1
65294032e79011d4b3f912ee70dc2e6480fdd461

SHA256
4389861d81d449d0628534dcc64d93b98af00a7325be4baae42839f9f0237d77

SHA512
c8cebb8ef38effceda9c22939831853ba45558de614d3956c8bb326c5e84416eea13244a5584d199143081102f239812a8dc86ed2e955fbf0d7eb1b360876a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe

Filesize
583KB

MD5
586797a184a54cec02dc959b95bafbfe

SHA1
92653b409ce60665ebbf7d5563eb292c615932ee

SHA256
56377374f7b289be615e07af60d603b8e864cd03fa080050273137475ffcb013

SHA512
52d12fd435fd2317536ce94fad1edd8aaf58f943557e7f740f5335bf3633e8d2cc9349b0553cff7fa775f715c7af8c938611281b5a79ba0737e5d766b841f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6329177.exe

Filesize
583KB

MD5
586797a184a54cec02dc959b95bafbfe

SHA1
92653b409ce60665ebbf7d5563eb292c615932ee

SHA256
56377374f7b289be615e07af60d603b8e864cd03fa080050273137475ffcb013

SHA512
52d12fd435fd2317536ce94fad1edd8aaf58f943557e7f740f5335bf3633e8d2cc9349b0553cff7fa775f715c7af8c938611281b5a79ba0737e5d766b841f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024126.exe

Filesize
295KB

MD5
fb275f5c728a47576f47d708a3e927a6

SHA1
81b52b5da822e8b9b0e6c564e1e0c16046906841

SHA256
c04f960ba062a1aba556c521047c7670198ab3e459e69b62d5b82ac604eb9d7c

SHA512
efacf96730c998acd2d8e8ba78502f462c705e153788fcd31de412dbaf9667f0127023ec25c1494b0d7e259a17523bd6a2631c213d179bf9c890ef036c5fbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7268588.exe

Filesize
491KB

MD5
f8c3ea875316f56c12dfbf9b7cd991f2

SHA1
042d5f3cc7a3312c19d76e5abec1346c65cacba8

SHA256
c728a5bb964a94058e2ac1c3c840a84d088e1fab7c9509151ed6b35fafa3d1bb

SHA512
6ba5953027dd5089f60e4226a59dd3c2826587da9bc1eabc46da1c5cb116016763a2287ff1cc4080c6394b216051607554835c2c19ecc905d0e18df8d719253e

Download Submit
memory/1648-155-0x00000000005B0000-0x00000000005EE000-memory.dmp

Filesize
248KB

Download
memory/1648-154-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1648-164-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1648-167-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1648-162-0x00000000005B0000-0x00000000005EE000-memory.dmp

Filesize
248KB

Download
memory/1648-161-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1648-163-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1748-179-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1748-171-0x0000000001F70000-0x0000000001FFC000-memory.dmp

Filesize
560KB

Download
memory/1748-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1748-180-0x0000000001F70000-0x0000000001FFC000-memory.dmp

Filesize
560KB

Download
memory/1748-182-0x000000000A580000-0x000000000AB98000-memory.dmp

Filesize
6.1MB

Download
memory/1748-183-0x0000000009F60000-0x000000000A06A000-memory.dmp

Filesize
1.0MB

Download
memory/1748-185-0x000000000A080000-0x000000000A092000-memory.dmp

Filesize
72KB

Download
memory/1748-184-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

Filesize
64KB

Download
memory/1748-186-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

Filesize
240KB

Download
memory/1748-187-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1748-188-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1748-189-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

Filesize
64KB

Download