healer | 22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 15:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe
Size

828KB
MD5

1c2c1c58775db71327a2bd657966d712
SHA1

f666dd4f37e2ec7c551aefe637adafc189745faa
SHA256

22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94
SHA512

693f8a3ebdc4f95e50dc2b1742904c2c2e893fbe474975baad7587263aa08889dfa85157b9c76c67313a59e84108965b1477110aa8c5986a593a35ec3c572e68
SSDEEP

12288:lMruy90ArJUKUsgCrqTNP3vKwQlUZ+ObHjB+IeFrz4HFsHQ0lPt/uzoV:HyjrJUZ1/Tp/EmMtvHQ2t/u0V

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231d0-166.dat	healer
behavioral1/files/0x00070000000231d0-167.dat	healer
behavioral1/memory/4108-168-0x0000000000790000-0x000000000079A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6861338.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6861338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6861338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6861338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6861338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6861338.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4400	v3645513.exe
2952	v3624780.exe
4864	v2031847.exe
2020	v8564586.exe
4108	a6861338.exe
1148	b0145093.exe
2844	c5959369.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6861338.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3645513.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3624780.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2031847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8564586.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4108	a6861338.exe
4108	a6861338.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	a6861338.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4400	1256	22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe	82
PID 1256 wrote to memory of 4400	1256	22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe	82
PID 1256 wrote to memory of 4400	1256	22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe	82
PID 4400 wrote to memory of 2952	4400	v3645513.exe	83
PID 4400 wrote to memory of 2952	4400	v3645513.exe	83
PID 4400 wrote to memory of 2952	4400	v3645513.exe	83
PID 2952 wrote to memory of 4864	2952	v3624780.exe	84
PID 2952 wrote to memory of 4864	2952	v3624780.exe	84
PID 2952 wrote to memory of 4864	2952	v3624780.exe	84
PID 4864 wrote to memory of 2020	4864	v2031847.exe	85
PID 4864 wrote to memory of 2020	4864	v2031847.exe	85
PID 4864 wrote to memory of 2020	4864	v2031847.exe	85
PID 2020 wrote to memory of 4108	2020	v8564586.exe	86
PID 2020 wrote to memory of 4108	2020	v8564586.exe	86
PID 2020 wrote to memory of 1148	2020	v8564586.exe	95
PID 2020 wrote to memory of 1148	2020	v8564586.exe	95
PID 2020 wrote to memory of 1148	2020	v8564586.exe	95
PID 4864 wrote to memory of 2844	4864	v2031847.exe	96
PID 4864 wrote to memory of 2844	4864	v2031847.exe	96
PID 4864 wrote to memory of 2844	4864	v2031847.exe	96

C:\Users\Admin\AppData\Local\Temp\22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe
"C:\Users\Admin\AppData\Local\Temp\22ee4d43a861d1f37e07ff4d4f66448dafcddb76123183abbb36f8df778c7e94.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3645513.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3645513.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3624780.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3624780.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2031847.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2031847.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8564586.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8564586.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6861338.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6861338.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0145093.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0145093.exe
        6⤵
        Executes dropped EXE
        
        PID:1148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5959369.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5959369.exe
        5⤵
        Executes dropped EXE
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3645513.exe

Filesize
722KB

MD5
401206c02832d48ef48f74db8b594800

SHA1
efeaded91031108b319f38c586cee338383cd23a

SHA256
4651747b120e62ed13368088f053b34e54c525a82a0eebf1efd8777c2119e1ee

SHA512
ac545d34f2f4974ef5066161b1579a8eac0dfeb50470ac827aeab75827029b36487bb166f6e57db76d0dec9ab3796c1381e370125cec22c60b16aae5f9ded81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3645513.exe

Filesize
722KB

MD5
401206c02832d48ef48f74db8b594800

SHA1
efeaded91031108b319f38c586cee338383cd23a

SHA256
4651747b120e62ed13368088f053b34e54c525a82a0eebf1efd8777c2119e1ee

SHA512
ac545d34f2f4974ef5066161b1579a8eac0dfeb50470ac827aeab75827029b36487bb166f6e57db76d0dec9ab3796c1381e370125cec22c60b16aae5f9ded81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3624780.exe

Filesize
497KB

MD5
e8e9b4644b6680666929d19949c3feab

SHA1
37139cad7ba76aa9bfdbde59f27db2a8ce152e87

SHA256
11af4d6fb4cc59dd327bab39879a64bff5cf6ff8202594094de43d5cfe4d6d99

SHA512
e6d9f6e50dcb57a29c5a50bb86b35c43f42b75e01a5309763bdb796b85c96f40b4d54d36f49d3fc07388e1ba48f937ceca5465ef41d394df6d1feca52c49f80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3624780.exe

Filesize
497KB

MD5
e8e9b4644b6680666929d19949c3feab

SHA1
37139cad7ba76aa9bfdbde59f27db2a8ce152e87

SHA256
11af4d6fb4cc59dd327bab39879a64bff5cf6ff8202594094de43d5cfe4d6d99

SHA512
e6d9f6e50dcb57a29c5a50bb86b35c43f42b75e01a5309763bdb796b85c96f40b4d54d36f49d3fc07388e1ba48f937ceca5465ef41d394df6d1feca52c49f80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2031847.exe

Filesize
373KB

MD5
a4fa2902829fcdf2a81de04a5f121815

SHA1
623bb5148fed0cdc4d53a2814c4c4acddcbbb7ce

SHA256
1cbbcbf7ea078c1f79f8d7208e3cc7dc92c1780e25c9a7f3256b88f7b31741c2

SHA512
b648ff538daae68249f3c95bf0b411032f98bb6da762998e8c73b801d82b53c5cfe1d0a22761b9ec017fbb719b29e1dffca186d084d929a07c0fe97671b919d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2031847.exe

Filesize
373KB

MD5
a4fa2902829fcdf2a81de04a5f121815

SHA1
623bb5148fed0cdc4d53a2814c4c4acddcbbb7ce

SHA256
1cbbcbf7ea078c1f79f8d7208e3cc7dc92c1780e25c9a7f3256b88f7b31741c2

SHA512
b648ff538daae68249f3c95bf0b411032f98bb6da762998e8c73b801d82b53c5cfe1d0a22761b9ec017fbb719b29e1dffca186d084d929a07c0fe97671b919d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5959369.exe

Filesize
174KB

MD5
4d19af410622eb7ad9157496c058f16c

SHA1
896cb8b091f990f378197ff98fe43d8ec15f4356

SHA256
d503e0e2a87f11f31867e72727a12288fb0c57c01da16e9b7b6977a634bd1bf6

SHA512
bbdfdacc40baffd2d8a7f5293697e1a84e98257e16e7c722b0b5931ff0914f7bc030ab35101cf30b61fd1e4e1e96366e10a959407a1ee520c148937cabb9a814

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5959369.exe

Filesize
174KB

MD5
4d19af410622eb7ad9157496c058f16c

SHA1
896cb8b091f990f378197ff98fe43d8ec15f4356

SHA256
d503e0e2a87f11f31867e72727a12288fb0c57c01da16e9b7b6977a634bd1bf6

SHA512
bbdfdacc40baffd2d8a7f5293697e1a84e98257e16e7c722b0b5931ff0914f7bc030ab35101cf30b61fd1e4e1e96366e10a959407a1ee520c148937cabb9a814

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8564586.exe

Filesize
216KB

MD5
eabd270bf3533d165bb21df9ec1dd5ca

SHA1
918d900dcfdeeb6202f3fdf05662ca7cf0e29bfd

SHA256
e34834e1a4b62155a1ee7171a5a1377c9a4498ed5139146186508cffd15bd3aa

SHA512
6f369ff392cd376572f0931a0deffe4e7a2fa0b57bec39b1d927031b0acdca1c7024dfe1ff24f158605e88070197b298c8569bd6b6724925efa21f7758530ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8564586.exe

Filesize
216KB

MD5
eabd270bf3533d165bb21df9ec1dd5ca

SHA1
918d900dcfdeeb6202f3fdf05662ca7cf0e29bfd

SHA256
e34834e1a4b62155a1ee7171a5a1377c9a4498ed5139146186508cffd15bd3aa

SHA512
6f369ff392cd376572f0931a0deffe4e7a2fa0b57bec39b1d927031b0acdca1c7024dfe1ff24f158605e88070197b298c8569bd6b6724925efa21f7758530ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6861338.exe

Filesize
11KB

MD5
fc0b19030e767567275c7c84665ad64e

SHA1
c41590731a5ea1ee30016744c4dc940d7641e7a3

SHA256
13eecfc7bba3be75188d5080cbd70b08f2cc204e96d67a463706d9b48ca8a2c5

SHA512
e1e683305e4a2935c7c02c322cdbef55ed56b93859a5ed8dccc1132ee6a6bebd89df46fedd95b575930f1b2b3d3416359f5da3d73fcfdeaf3785a2ae3b415ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6861338.exe

Filesize
11KB

MD5
fc0b19030e767567275c7c84665ad64e

SHA1
c41590731a5ea1ee30016744c4dc940d7641e7a3

SHA256
13eecfc7bba3be75188d5080cbd70b08f2cc204e96d67a463706d9b48ca8a2c5

SHA512
e1e683305e4a2935c7c02c322cdbef55ed56b93859a5ed8dccc1132ee6a6bebd89df46fedd95b575930f1b2b3d3416359f5da3d73fcfdeaf3785a2ae3b415ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0145093.exe

Filesize
140KB

MD5
b0103404f632828f421474ec100b304e

SHA1
602f22ec6f79d52372f2c4bf92ca69f98d39d1be

SHA256
1260b389fd62f6a991beffb7360e05f716fcb4bb93d27a03b3c93e4d0f07ff9e

SHA512
a9426292f44f1c61f6d7c3fcab5c8a07ad6fe3995a4c86a2ddcb14bdd25deec8ed5f41801abf6563d1057d54f5f7791af42ffe4024f2c980401e3e47836d0e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0145093.exe

Filesize
140KB

MD5
b0103404f632828f421474ec100b304e

SHA1
602f22ec6f79d52372f2c4bf92ca69f98d39d1be

SHA256
1260b389fd62f6a991beffb7360e05f716fcb4bb93d27a03b3c93e4d0f07ff9e

SHA512
a9426292f44f1c61f6d7c3fcab5c8a07ad6fe3995a4c86a2ddcb14bdd25deec8ed5f41801abf6563d1057d54f5f7791af42ffe4024f2c980401e3e47836d0e0c

Download Submit
memory/2844-179-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-178-0x0000000000C50000-0x0000000000C80000-memory.dmp

Filesize
192KB

Download
memory/2844-180-0x0000000005C10000-0x0000000006228000-memory.dmp

Filesize
6.1MB

Download
memory/2844-181-0x0000000005700000-0x000000000580A000-memory.dmp

Filesize
1.0MB

Download
memory/2844-182-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/2844-183-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/2844-184-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/2844-185-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-186-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/4108-171-0x00007FFE5D580000-0x00007FFE5E041000-memory.dmp

Filesize
10.8MB

Download
memory/4108-169-0x00007FFE5D580000-0x00007FFE5E041000-memory.dmp

Filesize
10.8MB

Download
memory/4108-168-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download