healer | 6ce7c898e625b73e5769a8ff7ce68877569866cd975701c89f78cba6671b2b9e

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe
Size

921KB
MD5

c47a54edc662b129a3c0f35b2128a210
SHA1

09ca6fa62978e79c28a6db1244e2f4f68689347d
SHA256

51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0
SHA512

f5846e19ed96713a9cd67a85f71d05ed3e3bbbbf69fa7c0959aa1dcaebc350a43d1babbe77632e2b9d4332434250f173ac88ca002cd03812485f02970413e1bb
SSDEEP

24576:pyPINE+7DXR2iN6MTEG/XLpsnmh5okX6ZDW678:cat7DB2hMbbpo0o1ZDWC

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1644-94-0x0000000000270000-0x00000000002AE000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k4643248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4643248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4643248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4643248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4643248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4643248.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1896	y3036086.exe
2116	y4220183.exe
1644	k4643248.exe
2876	l4358403.exe

Loads dropped DLL 10 IoCs

pid	Process
2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe
1896	y3036086.exe
1896	y3036086.exe
2116	y4220183.exe
2116	y4220183.exe
2116	y4220183.exe
1644	k4643248.exe
2116	y4220183.exe
2116	y4220183.exe
2876	l4358403.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k4643248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4643248.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3036086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3036086.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4220183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4220183.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	k4643248.exe
1644	k4643248.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	k4643248.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 2660 wrote to memory of 1896	2660	51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe	28
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 1896 wrote to memory of 2116	1896	y3036086.exe	29
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 1644	2116	y4220183.exe	30
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32
PID 2116 wrote to memory of 2876	2116	y4220183.exe	32

C:\Users\Admin\AppData\Local\Temp\51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe
"C:\Users\Admin\AppData\Local\Temp\51d657df512e7cbe199d7cf51ed7ad922c87df41ed039cca89d19f3c97685af0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3036086.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3036086.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4220183.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4220183.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3036086.exe

Filesize
765KB

MD5
2000d6aa647a4537f7878345516e46ba

SHA1
0afc5f6ca4f7ac774c34d8ac8461f6aee76eb257

SHA256
5a359feb51d21ea711450893d3fba10ccd4c238a90fe8b395885a02077f3ba09

SHA512
c859886339ca2b51c9b32839a92bab35f98c19eaff5c531715e2d3c5f41d93f126e982531498a2f92a526093a64362aeab4d63fee1499642694a17ef2b763f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3036086.exe

Filesize
765KB

MD5
2000d6aa647a4537f7878345516e46ba

SHA1
0afc5f6ca4f7ac774c34d8ac8461f6aee76eb257

SHA256
5a359feb51d21ea711450893d3fba10ccd4c238a90fe8b395885a02077f3ba09

SHA512
c859886339ca2b51c9b32839a92bab35f98c19eaff5c531715e2d3c5f41d93f126e982531498a2f92a526093a64362aeab4d63fee1499642694a17ef2b763f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4220183.exe

Filesize
582KB

MD5
e378b54b01d0b7f56bbd119d678c4591

SHA1
9931232ef3d1cd9ee7b3803161b133a9f4ba26a6

SHA256
be776f93bb407b0d171f364aa766bb4a81161a5681151fc3170ba6735b49a5a6

SHA512
3505c2e356c6d0730544d065417352a06ff5bbc0660b517941981498a5adf56d10372604926f0b6f2e50f8020e9a62a7a2cc80e620a9432f4eafda17d3c25a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4220183.exe

Filesize
582KB

MD5
e378b54b01d0b7f56bbd119d678c4591

SHA1
9931232ef3d1cd9ee7b3803161b133a9f4ba26a6

SHA256
be776f93bb407b0d171f364aa766bb4a81161a5681151fc3170ba6735b49a5a6

SHA512
3505c2e356c6d0730544d065417352a06ff5bbc0660b517941981498a5adf56d10372604926f0b6f2e50f8020e9a62a7a2cc80e620a9432f4eafda17d3c25a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe

Filesize
294KB

MD5
983efe5aaa583729c9b9773b56c1af83

SHA1
ff3742723ada1b8a35cf2e56570df6bd60f39ec3

SHA256
d7b68835dc4ad60b83b05cf55715e01d292bebf557236846345543c28b5edeaa

SHA512
747ffd433e756a01c4d263c46c84d86f2c000d1e225939f366928c07204f5b83f4dba35c0a0f33ccb9e9b0526995d717a281277bcf3afc0714b72fc78c67d312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe

Filesize
294KB

MD5
983efe5aaa583729c9b9773b56c1af83

SHA1
ff3742723ada1b8a35cf2e56570df6bd60f39ec3

SHA256
d7b68835dc4ad60b83b05cf55715e01d292bebf557236846345543c28b5edeaa

SHA512
747ffd433e756a01c4d263c46c84d86f2c000d1e225939f366928c07204f5b83f4dba35c0a0f33ccb9e9b0526995d717a281277bcf3afc0714b72fc78c67d312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe

Filesize
294KB

MD5
983efe5aaa583729c9b9773b56c1af83

SHA1
ff3742723ada1b8a35cf2e56570df6bd60f39ec3

SHA256
d7b68835dc4ad60b83b05cf55715e01d292bebf557236846345543c28b5edeaa

SHA512
747ffd433e756a01c4d263c46c84d86f2c000d1e225939f366928c07204f5b83f4dba35c0a0f33ccb9e9b0526995d717a281277bcf3afc0714b72fc78c67d312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe

Filesize
492KB

MD5
7816e0b87cab8163217ada078076493c

SHA1
e4933a060cb95d7b748548e83dd1ce457ce79001

SHA256
859d4fdf3c4a6336c03ec1e5e46c487052d131779546087556a510b3921fae11

SHA512
3cafff5622bb508f6d9ebf73909edac5ed9af453aa99d010bab338f79742ad416cf6092cfb93ce934e9eb3edf2df5dd3e280bf859e8d57a3cc981f9552c078b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe

Filesize
492KB

MD5
7816e0b87cab8163217ada078076493c

SHA1
e4933a060cb95d7b748548e83dd1ce457ce79001

SHA256
859d4fdf3c4a6336c03ec1e5e46c487052d131779546087556a510b3921fae11

SHA512
3cafff5622bb508f6d9ebf73909edac5ed9af453aa99d010bab338f79742ad416cf6092cfb93ce934e9eb3edf2df5dd3e280bf859e8d57a3cc981f9552c078b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe

Filesize
492KB

MD5
7816e0b87cab8163217ada078076493c

SHA1
e4933a060cb95d7b748548e83dd1ce457ce79001

SHA256
859d4fdf3c4a6336c03ec1e5e46c487052d131779546087556a510b3921fae11

SHA512
3cafff5622bb508f6d9ebf73909edac5ed9af453aa99d010bab338f79742ad416cf6092cfb93ce934e9eb3edf2df5dd3e280bf859e8d57a3cc981f9552c078b4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3036086.exe

Filesize
765KB

MD5
2000d6aa647a4537f7878345516e46ba

SHA1
0afc5f6ca4f7ac774c34d8ac8461f6aee76eb257

SHA256
5a359feb51d21ea711450893d3fba10ccd4c238a90fe8b395885a02077f3ba09

SHA512
c859886339ca2b51c9b32839a92bab35f98c19eaff5c531715e2d3c5f41d93f126e982531498a2f92a526093a64362aeab4d63fee1499642694a17ef2b763f02

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3036086.exe

Filesize
765KB

MD5
2000d6aa647a4537f7878345516e46ba

SHA1
0afc5f6ca4f7ac774c34d8ac8461f6aee76eb257

SHA256
5a359feb51d21ea711450893d3fba10ccd4c238a90fe8b395885a02077f3ba09

SHA512
c859886339ca2b51c9b32839a92bab35f98c19eaff5c531715e2d3c5f41d93f126e982531498a2f92a526093a64362aeab4d63fee1499642694a17ef2b763f02

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4220183.exe

Filesize
582KB

MD5
e378b54b01d0b7f56bbd119d678c4591

SHA1
9931232ef3d1cd9ee7b3803161b133a9f4ba26a6

SHA256
be776f93bb407b0d171f364aa766bb4a81161a5681151fc3170ba6735b49a5a6

SHA512
3505c2e356c6d0730544d065417352a06ff5bbc0660b517941981498a5adf56d10372604926f0b6f2e50f8020e9a62a7a2cc80e620a9432f4eafda17d3c25a78

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4220183.exe

Filesize
582KB

MD5
e378b54b01d0b7f56bbd119d678c4591

SHA1
9931232ef3d1cd9ee7b3803161b133a9f4ba26a6

SHA256
be776f93bb407b0d171f364aa766bb4a81161a5681151fc3170ba6735b49a5a6

SHA512
3505c2e356c6d0730544d065417352a06ff5bbc0660b517941981498a5adf56d10372604926f0b6f2e50f8020e9a62a7a2cc80e620a9432f4eafda17d3c25a78

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe

Filesize
294KB

MD5
983efe5aaa583729c9b9773b56c1af83

SHA1
ff3742723ada1b8a35cf2e56570df6bd60f39ec3

SHA256
d7b68835dc4ad60b83b05cf55715e01d292bebf557236846345543c28b5edeaa

SHA512
747ffd433e756a01c4d263c46c84d86f2c000d1e225939f366928c07204f5b83f4dba35c0a0f33ccb9e9b0526995d717a281277bcf3afc0714b72fc78c67d312

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe

Filesize
294KB

MD5
983efe5aaa583729c9b9773b56c1af83

SHA1
ff3742723ada1b8a35cf2e56570df6bd60f39ec3

SHA256
d7b68835dc4ad60b83b05cf55715e01d292bebf557236846345543c28b5edeaa

SHA512
747ffd433e756a01c4d263c46c84d86f2c000d1e225939f366928c07204f5b83f4dba35c0a0f33ccb9e9b0526995d717a281277bcf3afc0714b72fc78c67d312

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4643248.exe

Filesize
294KB

MD5
983efe5aaa583729c9b9773b56c1af83

SHA1
ff3742723ada1b8a35cf2e56570df6bd60f39ec3

SHA256
d7b68835dc4ad60b83b05cf55715e01d292bebf557236846345543c28b5edeaa

SHA512
747ffd433e756a01c4d263c46c84d86f2c000d1e225939f366928c07204f5b83f4dba35c0a0f33ccb9e9b0526995d717a281277bcf3afc0714b72fc78c67d312

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe

Filesize
492KB

MD5
7816e0b87cab8163217ada078076493c

SHA1
e4933a060cb95d7b748548e83dd1ce457ce79001

SHA256
859d4fdf3c4a6336c03ec1e5e46c487052d131779546087556a510b3921fae11

SHA512
3cafff5622bb508f6d9ebf73909edac5ed9af453aa99d010bab338f79742ad416cf6092cfb93ce934e9eb3edf2df5dd3e280bf859e8d57a3cc981f9552c078b4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe

Filesize
492KB

MD5
7816e0b87cab8163217ada078076493c

SHA1
e4933a060cb95d7b748548e83dd1ce457ce79001

SHA256
859d4fdf3c4a6336c03ec1e5e46c487052d131779546087556a510b3921fae11

SHA512
3cafff5622bb508f6d9ebf73909edac5ed9af453aa99d010bab338f79742ad416cf6092cfb93ce934e9eb3edf2df5dd3e280bf859e8d57a3cc981f9552c078b4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4358403.exe

Filesize
492KB

MD5
7816e0b87cab8163217ada078076493c

SHA1
e4933a060cb95d7b748548e83dd1ce457ce79001

SHA256
859d4fdf3c4a6336c03ec1e5e46c487052d131779546087556a510b3921fae11

SHA512
3cafff5622bb508f6d9ebf73909edac5ed9af453aa99d010bab338f79742ad416cf6092cfb93ce934e9eb3edf2df5dd3e280bf859e8d57a3cc981f9552c078b4

Download Submit
memory/1644-96-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1644-95-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1644-94-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1644-88-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1644-87-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2876-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-107-0x0000000000340000-0x00000000003CC000-memory.dmp

Filesize
560KB

Download
memory/2876-114-0x0000000000340000-0x00000000003CC000-memory.dmp

Filesize
560KB

Download
memory/2876-116-0x0000000000BC0000-0x0000000000BC6000-memory.dmp

Filesize
24KB

Download
memory/2876-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download