healer | ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 02:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe
Size

830KB
MD5

b4592e7798726bb7edcccba913fc8f2e
SHA1

abaa9c7db99b549aa96fc2dd785490381a98e8b3
SHA256

ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed
SHA512

123a8c264e8aa0fb8d46023e6cc9d823a18279ac755be597dcbecd4b613a0a9a402f8508b489c84e4d7ddd1e95d9c17414e8b1eb0ef10388cadf2533ac3d323a
SSDEEP

12288:wMr4y90Ofope9tKFYvqB47mYh7DOwtuPRXnaWO5zdMeBUvY3RneTGuKe/A5rg7Hy:Yyd0eW0qB47mY8wkRXaWNvY3ReShiS

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000230c3-33.dat	healer
behavioral1/files/0x00070000000230c3-34.dat	healer
behavioral1/memory/984-35-0x0000000000A80000-0x0000000000A8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7686732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7686732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7686732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7686732.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7686732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7686732.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4772	v6699632.exe
4884	v7539598.exe
760	v9039502.exe
2248	v7807990.exe
984	a7686732.exe
2152	b7276095.exe
3640	c3492405.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7686732.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7539598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9039502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7807990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6699632.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
984	a7686732.exe
984	a7686732.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	a7686732.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4772	3732	ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe	82
PID 3732 wrote to memory of 4772	3732	ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe	82
PID 3732 wrote to memory of 4772	3732	ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe	82
PID 4772 wrote to memory of 4884	4772	v6699632.exe	83
PID 4772 wrote to memory of 4884	4772	v6699632.exe	83
PID 4772 wrote to memory of 4884	4772	v6699632.exe	83
PID 4884 wrote to memory of 760	4884	v7539598.exe	84
PID 4884 wrote to memory of 760	4884	v7539598.exe	84
PID 4884 wrote to memory of 760	4884	v7539598.exe	84
PID 760 wrote to memory of 2248	760	v9039502.exe	85
PID 760 wrote to memory of 2248	760	v9039502.exe	85
PID 760 wrote to memory of 2248	760	v9039502.exe	85
PID 2248 wrote to memory of 984	2248	v7807990.exe	86
PID 2248 wrote to memory of 984	2248	v7807990.exe	86
PID 2248 wrote to memory of 2152	2248	v7807990.exe	93
PID 2248 wrote to memory of 2152	2248	v7807990.exe	93
PID 2248 wrote to memory of 2152	2248	v7807990.exe	93
PID 760 wrote to memory of 3640	760	v9039502.exe	94
PID 760 wrote to memory of 3640	760	v9039502.exe	94
PID 760 wrote to memory of 3640	760	v9039502.exe	94

C:\Users\Admin\AppData\Local\Temp\ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe
"C:\Users\Admin\AppData\Local\Temp\ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6699632.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6699632.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7539598.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7539598.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9039502.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9039502.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7807990.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7807990.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7686732.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7686732.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7276095.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7276095.exe
        6⤵
        Executes dropped EXE
        
        PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3492405.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3492405.exe
        5⤵
        Executes dropped EXE
        
        PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6699632.exe

Filesize
724KB

MD5
51b8e8092f75d865049d4c240aaed8f4

SHA1
3e01d98130e3cb35e0fd3d4f24fdcf8ed3dd3dcb

SHA256
6b6ad5fa6c9b8464f42f25acdaa8860558e861a53ba94e7ed50ac5e60accbe62

SHA512
bc4ebd613c5fdaa3d7272d3728be81e395fa33feb31d34b8e65ac5959894bcab9cca844d5f1006653a3de46f5e110440fe68e02c62a71abbd990e714607a3053

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6699632.exe

Filesize
724KB

MD5
51b8e8092f75d865049d4c240aaed8f4

SHA1
3e01d98130e3cb35e0fd3d4f24fdcf8ed3dd3dcb

SHA256
6b6ad5fa6c9b8464f42f25acdaa8860558e861a53ba94e7ed50ac5e60accbe62

SHA512
bc4ebd613c5fdaa3d7272d3728be81e395fa33feb31d34b8e65ac5959894bcab9cca844d5f1006653a3de46f5e110440fe68e02c62a71abbd990e714607a3053

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7539598.exe

Filesize
498KB

MD5
f479e79d656ffd7e82ecef8f2ab2bc7b

SHA1
709a9a4be2712cff0c63a2de8714ba5b1aadfb59

SHA256
02b6229bbe913c0d0eca3a9f14fe08c0f5f0d56cf43562078bc63d2b26fd8015

SHA512
3a4567c0509c907bf7f2d192f609ef0636552679fb0916ec4cdcea918721f5bfdc0ffb9b8c3814bda2898e331ec1a93ce153ae9d541bb6b37e39ba4416f074fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7539598.exe

Filesize
498KB

MD5
f479e79d656ffd7e82ecef8f2ab2bc7b

SHA1
709a9a4be2712cff0c63a2de8714ba5b1aadfb59

SHA256
02b6229bbe913c0d0eca3a9f14fe08c0f5f0d56cf43562078bc63d2b26fd8015

SHA512
3a4567c0509c907bf7f2d192f609ef0636552679fb0916ec4cdcea918721f5bfdc0ffb9b8c3814bda2898e331ec1a93ce153ae9d541bb6b37e39ba4416f074fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9039502.exe

Filesize
373KB

MD5
c38a8d00550047bfd7b4a7e7dba524c0

SHA1
ea5a298314c8a66d62b4eb387385d5b34195240e

SHA256
3d376efa14d3f9a76e64b4446dfe8e1c4cfa0bb3e4a3c085631d856d7fa958ef

SHA512
d4ff499770e7dbc8be4d365e5161ec96bcb630e31fa344991ba85d4c462cc2a4f982429cc7db61760bbf8150dbcc6059b26badc1d68a793718ff9a677f34695c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9039502.exe

Filesize
373KB

MD5
c38a8d00550047bfd7b4a7e7dba524c0

SHA1
ea5a298314c8a66d62b4eb387385d5b34195240e

SHA256
3d376efa14d3f9a76e64b4446dfe8e1c4cfa0bb3e4a3c085631d856d7fa958ef

SHA512
d4ff499770e7dbc8be4d365e5161ec96bcb630e31fa344991ba85d4c462cc2a4f982429cc7db61760bbf8150dbcc6059b26badc1d68a793718ff9a677f34695c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3492405.exe

Filesize
174KB

MD5
45dea97aa8c65d6758b087a62802331d

SHA1
44e8d98fc91490d3f61f569f633cdee5015a77d4

SHA256
d9a6c419efff0723137caa0a2b415d7a3ffa5666a4c07f27bfba1dcdd80bd18f

SHA512
67a88f96bc38429f794ce35be671277ede94a26e8502bb52e0679ee962a711c664885508978d4b705bf4dc8363e75e4517fda08eab2e9be9e01ef7b51acc8926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3492405.exe

Filesize
174KB

MD5
45dea97aa8c65d6758b087a62802331d

SHA1
44e8d98fc91490d3f61f569f633cdee5015a77d4

SHA256
d9a6c419efff0723137caa0a2b415d7a3ffa5666a4c07f27bfba1dcdd80bd18f

SHA512
67a88f96bc38429f794ce35be671277ede94a26e8502bb52e0679ee962a711c664885508978d4b705bf4dc8363e75e4517fda08eab2e9be9e01ef7b51acc8926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7807990.exe

Filesize
217KB

MD5
7f96deb636d8000e8025983d8be87e09

SHA1
321dfce707443a6efc00354a58a02c4e06a2ec48

SHA256
b4684465360af9f16e3927531539f00b44bb20fa484e5a41db4f2dad13f07f85

SHA512
4678de04c5a8629020eb1630fe2c473f06f9b03035bd5fb412e2f0f46acdc8c8f054b0e97e525f33814e70905af5ee92c8cbc2118e4039efbbf4cc100d3a8bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7807990.exe

Filesize
217KB

MD5
7f96deb636d8000e8025983d8be87e09

SHA1
321dfce707443a6efc00354a58a02c4e06a2ec48

SHA256
b4684465360af9f16e3927531539f00b44bb20fa484e5a41db4f2dad13f07f85

SHA512
4678de04c5a8629020eb1630fe2c473f06f9b03035bd5fb412e2f0f46acdc8c8f054b0e97e525f33814e70905af5ee92c8cbc2118e4039efbbf4cc100d3a8bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7686732.exe

Filesize
13KB

MD5
054be8b5e51cbd254ea2a16714177ece

SHA1
f53bcdc8e8600fac62d8abfd8eadc1f71e421581

SHA256
9bc8e309146b90dab958f6c9c3473d0dbdbbe774dac69b69689870de97cabe90

SHA512
159bb91c7258307b46a2aebf1b6bd69e37c883427b3e57f74164f02952a9338a3ba9e13ee4063d5f0cb070ace88b87572f58f851d6ce69d9f1d2baa4ad3490ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7686732.exe

Filesize
13KB

MD5
054be8b5e51cbd254ea2a16714177ece

SHA1
f53bcdc8e8600fac62d8abfd8eadc1f71e421581

SHA256
9bc8e309146b90dab958f6c9c3473d0dbdbbe774dac69b69689870de97cabe90

SHA512
159bb91c7258307b46a2aebf1b6bd69e37c883427b3e57f74164f02952a9338a3ba9e13ee4063d5f0cb070ace88b87572f58f851d6ce69d9f1d2baa4ad3490ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7276095.exe

Filesize
140KB

MD5
338d2a57a3309faa820abeedf6a0a2d6

SHA1
26e620215646e7c69821378cd99a8ad6af4ea555

SHA256
36744010ac4d166771ac0e699adf29864a67033e3a6319254f6e00616055ac99

SHA512
0309098d2b8fc67c806fc2de0b96b352375f3c9b6c55171bf579ed57fc2fa9b5080de0bfc098df1da4af8424a1ffc9813aa838069f01198fae58d203ddeced52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7276095.exe

Filesize
140KB

MD5
338d2a57a3309faa820abeedf6a0a2d6

SHA1
26e620215646e7c69821378cd99a8ad6af4ea555

SHA256
36744010ac4d166771ac0e699adf29864a67033e3a6319254f6e00616055ac99

SHA512
0309098d2b8fc67c806fc2de0b96b352375f3c9b6c55171bf579ed57fc2fa9b5080de0bfc098df1da4af8424a1ffc9813aa838069f01198fae58d203ddeced52

Download Submit
memory/984-38-0x00007FFAD6620000-0x00007FFAD70E1000-memory.dmp

Filesize
10.8MB

Download
memory/984-36-0x00007FFAD6620000-0x00007FFAD70E1000-memory.dmp

Filesize
10.8MB

Download
memory/984-35-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/3640-45-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/3640-46-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/3640-47-0x000000000A8C0000-0x000000000AED8000-memory.dmp

Filesize
6.1MB

Download
memory/3640-48-0x000000000A3B0000-0x000000000A4BA000-memory.dmp

Filesize
1.0MB

Download
memory/3640-49-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3640-50-0x000000000A2C0000-0x000000000A2D2000-memory.dmp

Filesize
72KB

Download
memory/3640-51-0x000000000A320000-0x000000000A35C000-memory.dmp

Filesize
240KB

Download
memory/3640-52-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/3640-53-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download