healer | decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3

Analysis

max time kernel
145s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe
Size

839KB
MD5

00f4bac5217848ae4178bb47c2b1c67e
SHA1

2179e244d4b4cc968a33c7c1eb66f4383d81684a
SHA256

decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3
SHA512

c51e4439433d2e4ed1741c73531ad566541f4653d15ddaf704f728c75ee6fb4b654006b8578f9e160145284f3fae410a8e0950b5c1c85933cf368a915334e71f
SSDEEP

24576:vyevEuLdtQgC0Ff3zllWdAXlCfTLTh9YnaK:6eCopzllYAXibh97

Score

10^/10

healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

piter

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe2-153.dat	healer
behavioral1/files/0x000700000001afe2-154.dat	healer
behavioral1/memory/1524-155-0x00000000006B0000-0x00000000006BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0238015.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0238015.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0238015.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0238015.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0238015.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3864	v3121767.exe
4288	v7419475.exe
3944	v1814810.exe
4604	v2860140.exe
1524	a0238015.exe
924	b3691367.exe
1272	c5192362.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0238015.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3121767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7419475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1814810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2860140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	a0238015.exe
1524	a0238015.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	a0238015.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3864	5104	decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe	70
PID 5104 wrote to memory of 3864	5104	decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe	70
PID 5104 wrote to memory of 3864	5104	decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe	70
PID 3864 wrote to memory of 4288	3864	v3121767.exe	71
PID 3864 wrote to memory of 4288	3864	v3121767.exe	71
PID 3864 wrote to memory of 4288	3864	v3121767.exe	71
PID 4288 wrote to memory of 3944	4288	v7419475.exe	72
PID 4288 wrote to memory of 3944	4288	v7419475.exe	72
PID 4288 wrote to memory of 3944	4288	v7419475.exe	72
PID 3944 wrote to memory of 4604	3944	v1814810.exe	73
PID 3944 wrote to memory of 4604	3944	v1814810.exe	73
PID 3944 wrote to memory of 4604	3944	v1814810.exe	73
PID 4604 wrote to memory of 1524	4604	v2860140.exe	74
PID 4604 wrote to memory of 1524	4604	v2860140.exe	74
PID 4604 wrote to memory of 924	4604	v2860140.exe	75
PID 4604 wrote to memory of 924	4604	v2860140.exe	75
PID 4604 wrote to memory of 924	4604	v2860140.exe	75
PID 3944 wrote to memory of 1272	3944	v1814810.exe	76
PID 3944 wrote to memory of 1272	3944	v1814810.exe	76
PID 3944 wrote to memory of 1272	3944	v1814810.exe	76

C:\Users\Admin\AppData\Local\Temp\decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe
"C:\Users\Admin\AppData\Local\Temp\decdbd27359f9b3f203c4e5aec9fece40b8d0be1a45a8b5208af0c96aa2e4cd3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3121767.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3121767.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7419475.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7419475.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1814810.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1814810.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2860140.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2860140.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0238015.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0238015.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3691367.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3691367.exe
        6⤵
        Executes dropped EXE
        
        PID:924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5192362.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5192362.exe
        5⤵
        Executes dropped EXE
        
        PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3121767.exe

Filesize
723KB

MD5
b27a819569ccd013dc7b146cb5c03e40

SHA1
845f9694e9a7314e05ce7038f96c52c0b7938aaf

SHA256
d91dd3dc70be460833a22dc540d4d7afe50974117540e13c1f0861179a1e8922

SHA512
ee55a90c3852db9c576d50331d7b67bc7ec1b0f77bfe9e3f199e13b7932a53efc9a8793ca79db36786fc5c0f72050a5ac130dfbd5deb414bbc1bc37019a480dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3121767.exe

Filesize
723KB

MD5
b27a819569ccd013dc7b146cb5c03e40

SHA1
845f9694e9a7314e05ce7038f96c52c0b7938aaf

SHA256
d91dd3dc70be460833a22dc540d4d7afe50974117540e13c1f0861179a1e8922

SHA512
ee55a90c3852db9c576d50331d7b67bc7ec1b0f77bfe9e3f199e13b7932a53efc9a8793ca79db36786fc5c0f72050a5ac130dfbd5deb414bbc1bc37019a480dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7419475.exe

Filesize
497KB

MD5
bf06c26eb6d92d93a7f35a886253f518

SHA1
e46c5fe3681d56eeac772b07ae5dde2de1961ea0

SHA256
d38627da7440e86519e0b85c67f998f6a345773488238911cb05f79420d4537e

SHA512
b28d807d92c666eb4eb5920a2cefb7d1dd23fdf699c5be289b90523b304957d7a80c40e3aab529573f42f883f0e9d9a794e6c448ca55907b9baab34b27546957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7419475.exe

Filesize
497KB

MD5
bf06c26eb6d92d93a7f35a886253f518

SHA1
e46c5fe3681d56eeac772b07ae5dde2de1961ea0

SHA256
d38627da7440e86519e0b85c67f998f6a345773488238911cb05f79420d4537e

SHA512
b28d807d92c666eb4eb5920a2cefb7d1dd23fdf699c5be289b90523b304957d7a80c40e3aab529573f42f883f0e9d9a794e6c448ca55907b9baab34b27546957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1814810.exe

Filesize
373KB

MD5
286054326cdb55d9a74a1dc270c6e0fd

SHA1
a5c52cbb90913927ba0f62fae026de951fe4df3d

SHA256
8b02c738657b1da676787e70f4097052f261c59aa9ada2b8ea3f789d9aad7cf7

SHA512
03f1b8140d3226c70ef4b8a35bf39021df8af5ea964f5dd86d7ecab021e723561746cbba1e77e393fb9a86ac2c15d6036646c97e43ff13520d81a116bf5e20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1814810.exe

Filesize
373KB

MD5
286054326cdb55d9a74a1dc270c6e0fd

SHA1
a5c52cbb90913927ba0f62fae026de951fe4df3d

SHA256
8b02c738657b1da676787e70f4097052f261c59aa9ada2b8ea3f789d9aad7cf7

SHA512
03f1b8140d3226c70ef4b8a35bf39021df8af5ea964f5dd86d7ecab021e723561746cbba1e77e393fb9a86ac2c15d6036646c97e43ff13520d81a116bf5e20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5192362.exe

Filesize
174KB

MD5
d88583237494a869e080df9f46c5641f

SHA1
04883b1bbbb7acb2bf9d1747f4405a965a45c482

SHA256
16a00c93b8b8831ec0f63dff24dbed980f6a656d89ca1a2d6837ae5eba8998c9

SHA512
048dc459dcb29f4728832a44e828ff11800e0d54491ec4a698b9e4304aac23f8c7e74a16f02ec4c90a2c1eac3106ab3e6e14ce305e60daa22e5e785dcf52ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5192362.exe

Filesize
174KB

MD5
d88583237494a869e080df9f46c5641f

SHA1
04883b1bbbb7acb2bf9d1747f4405a965a45c482

SHA256
16a00c93b8b8831ec0f63dff24dbed980f6a656d89ca1a2d6837ae5eba8998c9

SHA512
048dc459dcb29f4728832a44e828ff11800e0d54491ec4a698b9e4304aac23f8c7e74a16f02ec4c90a2c1eac3106ab3e6e14ce305e60daa22e5e785dcf52ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2860140.exe

Filesize
217KB

MD5
bc7ab6f59ca88e93d1e4da9c0ee15cdf

SHA1
4d2ee2055fcc0529e9a19050d25fd7a1d181aab7

SHA256
3f5e42f0de124f38003f3ad69404d944dc5713174d594c9c4392482da2628173

SHA512
e2e316507f0267df2fa38a5f3a439ce0bdc3dfcc98b2aabb3f2ef158af040fab0599cd6cc31ac128bc04b6a735ad61cdd26ff7df72b77b4ebac45ed087b2c14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2860140.exe

Filesize
217KB

MD5
bc7ab6f59ca88e93d1e4da9c0ee15cdf

SHA1
4d2ee2055fcc0529e9a19050d25fd7a1d181aab7

SHA256
3f5e42f0de124f38003f3ad69404d944dc5713174d594c9c4392482da2628173

SHA512
e2e316507f0267df2fa38a5f3a439ce0bdc3dfcc98b2aabb3f2ef158af040fab0599cd6cc31ac128bc04b6a735ad61cdd26ff7df72b77b4ebac45ed087b2c14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0238015.exe

Filesize
11KB

MD5
71247cc60cb8b083a9985807bba1c33a

SHA1
988823f9ea54294a9dc3735dacf75882a02ed9e3

SHA256
a050c022bbd324d0f215cd8994eb48e9f791ed69025fb9b11a17b33b005a9846

SHA512
1f0a96893206bf5a779c3bb5e97c93145ee5644815e0b7671f6e7a4e13fa1737ca4c8a88047cdecb319137a52d87bbe801fa52ce61f910e21cd969ef7cc85ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0238015.exe

Filesize
11KB

MD5
71247cc60cb8b083a9985807bba1c33a

SHA1
988823f9ea54294a9dc3735dacf75882a02ed9e3

SHA256
a050c022bbd324d0f215cd8994eb48e9f791ed69025fb9b11a17b33b005a9846

SHA512
1f0a96893206bf5a779c3bb5e97c93145ee5644815e0b7671f6e7a4e13fa1737ca4c8a88047cdecb319137a52d87bbe801fa52ce61f910e21cd969ef7cc85ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3691367.exe

Filesize
140KB

MD5
6efd3149e06a1c3fb1fdab7d842e76c4

SHA1
f33c9a72b86aa369b74ff833e66b7d2ae8558fe3

SHA256
f6f4c3de125191f7d47f3e829d945c0f1acf59efb3adf233dd0d39ab229abfa4

SHA512
6af4bf94a585418945eea637151c9562ec3a9d1ede09cc4eaf14acfa87077ade43f2f45f863564735126f796106c97fea68100f5b07f63c0f1ec7503f48edaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3691367.exe

Filesize
140KB

MD5
6efd3149e06a1c3fb1fdab7d842e76c4

SHA1
f33c9a72b86aa369b74ff833e66b7d2ae8558fe3

SHA256
f6f4c3de125191f7d47f3e829d945c0f1acf59efb3adf233dd0d39ab229abfa4

SHA512
6af4bf94a585418945eea637151c9562ec3a9d1ede09cc4eaf14acfa87077ade43f2f45f863564735126f796106c97fea68100f5b07f63c0f1ec7503f48edaaf

Download Submit
memory/1272-165-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/1272-166-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/1272-167-0x0000000001710000-0x0000000001716000-memory.dmp

Filesize
24KB

Download
memory/1272-168-0x000000000AFF0000-0x000000000B5F6000-memory.dmp

Filesize
6.0MB

Download
memory/1272-169-0x000000000AB00000-0x000000000AC0A000-memory.dmp

Filesize
1.0MB

Download
memory/1272-170-0x000000000AA30000-0x000000000AA42000-memory.dmp

Filesize
72KB

Download
memory/1272-171-0x000000000AA90000-0x000000000AACE000-memory.dmp

Filesize
248KB

Download
memory/1272-172-0x000000000AC10000-0x000000000AC5B000-memory.dmp

Filesize
300KB

Download
memory/1272-173-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/1524-158-0x00007FFE34320000-0x00007FFE34D0C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-156-0x00007FFE34320000-0x00007FFE34D0C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-155-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download