healer | 7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe
Size

929KB
MD5

ec03a91dd720ed039081d38588e0e220
SHA1

48fb640e7a5e74239267ca30f6428eab5f5c9f14
SHA256

7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2
SHA512

f84c1c92d4312c6d4a6f158fb919d0e38d5f2d1f4b1600746cf2036f4a4f89e3372c65d4155dccc903890c7c6b09c0ddf92b943bccf19884016b2a23af2559e2
SSDEEP

12288:lMrKy90T6P4TTYvQGFaxzO3b42tMBpfeDlzX0V94N8KIijgr630+cWfdaGzuewUy:bygk5IGuzobHtTaV91Ogrw0t5NFft

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002320d-167.dat	healer
behavioral1/files/0x000700000002320d-166.dat	healer
behavioral1/memory/2108-168-0x0000000000DA0000-0x0000000000DAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q2418056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q2418056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q2418056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q2418056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q2418056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q2418056.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1376	z7351061.exe
4884	z8603362.exe
4644	z3035910.exe
5104	z9270666.exe
2108	q2418056.exe
2464	r7761764.exe
984	s2045900.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q2418056.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9270666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7351061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8603362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3035910.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	q2418056.exe
2108	q2418056.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	q2418056.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1376	3596	7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe	80
PID 3596 wrote to memory of 1376	3596	7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe	80
PID 3596 wrote to memory of 1376	3596	7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe	80
PID 1376 wrote to memory of 4884	1376	z7351061.exe	81
PID 1376 wrote to memory of 4884	1376	z7351061.exe	81
PID 1376 wrote to memory of 4884	1376	z7351061.exe	81
PID 4884 wrote to memory of 4644	4884	z8603362.exe	82
PID 4884 wrote to memory of 4644	4884	z8603362.exe	82
PID 4884 wrote to memory of 4644	4884	z8603362.exe	82
PID 4644 wrote to memory of 5104	4644	z3035910.exe	83
PID 4644 wrote to memory of 5104	4644	z3035910.exe	83
PID 4644 wrote to memory of 5104	4644	z3035910.exe	83
PID 5104 wrote to memory of 2108	5104	z9270666.exe	84
PID 5104 wrote to memory of 2108	5104	z9270666.exe	84
PID 5104 wrote to memory of 2464	5104	z9270666.exe	90
PID 5104 wrote to memory of 2464	5104	z9270666.exe	90
PID 5104 wrote to memory of 2464	5104	z9270666.exe	90
PID 4644 wrote to memory of 984	4644	z3035910.exe	91
PID 4644 wrote to memory of 984	4644	z3035910.exe	91
PID 4644 wrote to memory of 984	4644	z3035910.exe	91

C:\Users\Admin\AppData\Local\Temp\7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe
"C:\Users\Admin\AppData\Local\Temp\7e420dfd5377fc7cf6823892af55e7a3a061aac8b7a6d4c4d89550b64775cea2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7351061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7351061.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8603362.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8603362.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3035910.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3035910.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9270666.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9270666.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2418056.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2418056.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7761764.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7761764.exe
        6⤵
        Executes dropped EXE
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2045900.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2045900.exe
        5⤵
        Executes dropped EXE
        
        PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7351061.exe

Filesize
824KB

MD5
3961a9dac544861f5c2b5e7ef7943abb

SHA1
54bdf61441b2a7345abd2cc6ecbc067451339c0f

SHA256
43aa33ee373538c79914678d1f58687acbd7b4f4ce979f4affd8e86b9b16cde8

SHA512
773f1e7ef8c7d60e783fccf3ed15407474d984db299ef85817ca8d69f481b3aab6e13ee8ef5c7a4b502b8ebe971c4fb48ae54ab354d163150b9e399227437b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7351061.exe

Filesize
824KB

MD5
3961a9dac544861f5c2b5e7ef7943abb

SHA1
54bdf61441b2a7345abd2cc6ecbc067451339c0f

SHA256
43aa33ee373538c79914678d1f58687acbd7b4f4ce979f4affd8e86b9b16cde8

SHA512
773f1e7ef8c7d60e783fccf3ed15407474d984db299ef85817ca8d69f481b3aab6e13ee8ef5c7a4b502b8ebe971c4fb48ae54ab354d163150b9e399227437b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8603362.exe

Filesize
598KB

MD5
cb600cfd4a7a98cab41e6788964141fc

SHA1
3411f3836a18655e7801ab5c6bcb72b018b9c286

SHA256
de87a4db62add68bd34b45ee188aba8752b3d4bdf39adc784a950c526cf60e95

SHA512
8ee1c77cf68f35e97933555be9c9a666e995f6d56ee66608c6fdca9832abdd40fe7c5f8912a8791c0c8365416bd8e06c68f671ebfec6fa0e665fc4f66376845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8603362.exe

Filesize
598KB

MD5
cb600cfd4a7a98cab41e6788964141fc

SHA1
3411f3836a18655e7801ab5c6bcb72b018b9c286

SHA256
de87a4db62add68bd34b45ee188aba8752b3d4bdf39adc784a950c526cf60e95

SHA512
8ee1c77cf68f35e97933555be9c9a666e995f6d56ee66608c6fdca9832abdd40fe7c5f8912a8791c0c8365416bd8e06c68f671ebfec6fa0e665fc4f66376845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3035910.exe

Filesize
372KB

MD5
8a4e45528fc80688c9d4bce8b46ef9d3

SHA1
c3ccc5ce11eb92bb7b8ee55ddffa89b69c3807ef

SHA256
6d55c5f31e8cf00a8d0644e3a0105670e620dc2b1004b31da7e434181241f23a

SHA512
18a4ae864e94cc89c97e818eaec38019126344ada304cd1572663c9c1f2fbce89d52b356ad0272cfacaa97a98836a9aabbb11a7282ba5e507860207a0d454018

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3035910.exe

Filesize
372KB

MD5
8a4e45528fc80688c9d4bce8b46ef9d3

SHA1
c3ccc5ce11eb92bb7b8ee55ddffa89b69c3807ef

SHA256
6d55c5f31e8cf00a8d0644e3a0105670e620dc2b1004b31da7e434181241f23a

SHA512
18a4ae864e94cc89c97e818eaec38019126344ada304cd1572663c9c1f2fbce89d52b356ad0272cfacaa97a98836a9aabbb11a7282ba5e507860207a0d454018

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2045900.exe

Filesize
174KB

MD5
03a7113b1c6cd6d6ec6262a4dfb2ad38

SHA1
640f634d5b4eca37e456d8404f5afc17d3af69de

SHA256
eda26df71c8de3c936b541d0e3ff8cb1a700c0fb26aa51787258e1b366a105b2

SHA512
bb1aa320f83b45b9443ce4a07446478658590759894e221e5630b537392cfaa931800d9a46221dab28c81729af3a063f128faee3a554cc1aa570023cb4ef05a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2045900.exe

Filesize
174KB

MD5
03a7113b1c6cd6d6ec6262a4dfb2ad38

SHA1
640f634d5b4eca37e456d8404f5afc17d3af69de

SHA256
eda26df71c8de3c936b541d0e3ff8cb1a700c0fb26aa51787258e1b366a105b2

SHA512
bb1aa320f83b45b9443ce4a07446478658590759894e221e5630b537392cfaa931800d9a46221dab28c81729af3a063f128faee3a554cc1aa570023cb4ef05a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9270666.exe

Filesize
216KB

MD5
bc53fb7a26d53db440933b7663fde599

SHA1
3c46a8cbaa73183c85d288f9052cb80e5ef7a4cb

SHA256
488efb5fbe9fef64a3c8e888c6665d414de637534de060134b61bf2da05b3db7

SHA512
f54fe5cb1eeb096a50012f8de4f1d768fe0ec4f7043c200fce3b89fecf02ecc6297a21a3713d0abaf69acd1b963e347a34ba4b94001b35d5a962e34da88538d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9270666.exe

Filesize
216KB

MD5
bc53fb7a26d53db440933b7663fde599

SHA1
3c46a8cbaa73183c85d288f9052cb80e5ef7a4cb

SHA256
488efb5fbe9fef64a3c8e888c6665d414de637534de060134b61bf2da05b3db7

SHA512
f54fe5cb1eeb096a50012f8de4f1d768fe0ec4f7043c200fce3b89fecf02ecc6297a21a3713d0abaf69acd1b963e347a34ba4b94001b35d5a962e34da88538d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2418056.exe

Filesize
12KB

MD5
1afa457067bc66394d84dba2d38c4c24

SHA1
cc5fa0170a1d43cc081e5f1ac76c3a2def032583

SHA256
942e44499ab101f0147a043a6293e001e3e5d0536bf043e33edd57142787a07f

SHA512
69d0e67e9b0006d00f67ce63c4ca5ba7d56fe5fabb6b748544e53c31e9799dfcb443833b6af7f52cf102f45cca671be550813f5a6b6eaf9213f5a0fe2b302a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2418056.exe

Filesize
12KB

MD5
1afa457067bc66394d84dba2d38c4c24

SHA1
cc5fa0170a1d43cc081e5f1ac76c3a2def032583

SHA256
942e44499ab101f0147a043a6293e001e3e5d0536bf043e33edd57142787a07f

SHA512
69d0e67e9b0006d00f67ce63c4ca5ba7d56fe5fabb6b748544e53c31e9799dfcb443833b6af7f52cf102f45cca671be550813f5a6b6eaf9213f5a0fe2b302a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7761764.exe

Filesize
140KB

MD5
9924122cd6a99340f94a7115a8f3b8fa

SHA1
7d715fc54ae310974825367e0e30821e6508f494

SHA256
3679e5dc82bbc806d6abfc46a8147fcf5d55f223d0fb007053c572ab519ccd34

SHA512
053df053e9964a331a558f25e344147eed910c82aae94a8d6d25602e90cc3d3deebfe8e8833f63e8aa7de8e0fcd93d829cc2c38b1ef4a4bcad8a62cd70768bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7761764.exe

Filesize
140KB

MD5
9924122cd6a99340f94a7115a8f3b8fa

SHA1
7d715fc54ae310974825367e0e30821e6508f494

SHA256
3679e5dc82bbc806d6abfc46a8147fcf5d55f223d0fb007053c572ab519ccd34

SHA512
053df053e9964a331a558f25e344147eed910c82aae94a8d6d25602e90cc3d3deebfe8e8833f63e8aa7de8e0fcd93d829cc2c38b1ef4a4bcad8a62cd70768bf6

Download Submit
memory/984-179-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/984-178-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/984-180-0x000000000AD00000-0x000000000B318000-memory.dmp

Filesize
6.1MB

Download
memory/984-181-0x000000000A880000-0x000000000A98A000-memory.dmp

Filesize
1.0MB

Download
memory/984-182-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/984-183-0x000000000A7C0000-0x000000000A7D2000-memory.dmp

Filesize
72KB

Download
memory/984-184-0x000000000A820000-0x000000000A85C000-memory.dmp

Filesize
240KB

Download
memory/984-185-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/984-186-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2108-171-0x00007FF981280000-0x00007FF981D41000-memory.dmp

Filesize
10.8MB

Download
memory/2108-169-0x00007FF981280000-0x00007FF981D41000-memory.dmp

Filesize
10.8MB

Download
memory/2108-168-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download