healer | ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50

Analysis

max time kernel
145s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
24/08/2023, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe
Size

829KB
MD5

fa82966976f600c0d75d80aaa549a081
SHA1

769a7acc26f3bb84de5e30b052e51148e4ef1756
SHA256

ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50
SHA512

472408a9d09cc9a951deafba1af599677182c47a6f2259b8ff7447e0663bfed50048edd2947aa852c95a0a34c86a5bb7dd919c61f4d7d70b5ebc8ec07f7b453c
SSDEEP

12288:qMrXy90lRJuG/BfpE+/rbLetlEVtLXXIZ0oBvolY4fuF5li5qiT4VzhiR9/aO3wz:Jy8RJDBxJ6CVtTIDAxU5lMT4xERta5z

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe3-33.dat	healer
behavioral1/files/0x000700000001afe3-34.dat	healer
behavioral1/memory/4284-35-0x0000000000180000-0x000000000018A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3859876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3859876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3859876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3859876.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3859876.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2116	v6610080.exe
936	v6992797.exe
4272	v0338542.exe
4428	v1339255.exe
4284	a3859876.exe
2436	b6503877.exe
1404	c8833647.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3859876.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6610080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6992797.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0338542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1339255.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4284	a3859876.exe
4284	a3859876.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	a3859876.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 2116	4596	ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe	69
PID 4596 wrote to memory of 2116	4596	ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe	69
PID 4596 wrote to memory of 2116	4596	ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe	69
PID 2116 wrote to memory of 936	2116	v6610080.exe	70
PID 2116 wrote to memory of 936	2116	v6610080.exe	70
PID 2116 wrote to memory of 936	2116	v6610080.exe	70
PID 936 wrote to memory of 4272	936	v6992797.exe	71
PID 936 wrote to memory of 4272	936	v6992797.exe	71
PID 936 wrote to memory of 4272	936	v6992797.exe	71
PID 4272 wrote to memory of 4428	4272	v0338542.exe	72
PID 4272 wrote to memory of 4428	4272	v0338542.exe	72
PID 4272 wrote to memory of 4428	4272	v0338542.exe	72
PID 4428 wrote to memory of 4284	4428	v1339255.exe	73
PID 4428 wrote to memory of 4284	4428	v1339255.exe	73
PID 4428 wrote to memory of 2436	4428	v1339255.exe	74
PID 4428 wrote to memory of 2436	4428	v1339255.exe	74
PID 4428 wrote to memory of 2436	4428	v1339255.exe	74
PID 4272 wrote to memory of 1404	4272	v0338542.exe	75
PID 4272 wrote to memory of 1404	4272	v0338542.exe	75
PID 4272 wrote to memory of 1404	4272	v0338542.exe	75

C:\Users\Admin\AppData\Local\Temp\ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe
"C:\Users\Admin\AppData\Local\Temp\ecc781b8c4de0ee8d905fdec482b5d22b3b94c877e48e5a7b93840e2cc6bcc50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6610080.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6610080.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6992797.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6992797.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0338542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0338542.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1339255.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1339255.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3859876.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3859876.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6503877.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6503877.exe
        6⤵
        Executes dropped EXE
        
        PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8833647.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8833647.exe
        5⤵
        Executes dropped EXE
        
        PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6610080.exe

Filesize
723KB

MD5
b01c56e7daf9a6123adfeb6e815ac447

SHA1
af070e8ed33a6c20f5da74bf5447063521b1fd02

SHA256
68b7d46592c14eaf67bb3f615c95c6cf8863ba1d3a9559abd68a96abe111466a

SHA512
8704d180a3ee9f7d44e4be7e91bdf45e4df6c6b21f4ceea468a58ba4aa72c77ff18332a77f8a18e5f906198d97851cb8d9d0b0fc82d8e3f9209543d5221119d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6610080.exe

Filesize
723KB

MD5
b01c56e7daf9a6123adfeb6e815ac447

SHA1
af070e8ed33a6c20f5da74bf5447063521b1fd02

SHA256
68b7d46592c14eaf67bb3f615c95c6cf8863ba1d3a9559abd68a96abe111466a

SHA512
8704d180a3ee9f7d44e4be7e91bdf45e4df6c6b21f4ceea468a58ba4aa72c77ff18332a77f8a18e5f906198d97851cb8d9d0b0fc82d8e3f9209543d5221119d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6992797.exe

Filesize
497KB

MD5
2cb77b068213dd7ceb3d72d3e0fc0bba

SHA1
393e655fec671a71555c7dd771b2497e3c4e5792

SHA256
f007f2436cc1206f32a02c859e40bf2db8ee324959c984ea7eaea1a1826cca85

SHA512
5a75e5f02e1161b40174fa9c4fca519962f013112712a6d711e7a13da11fad1cb7e1e6bef02b3bed3a02725e75c2e2eaa6c26da5066335b6f3638193afa3400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6992797.exe

Filesize
497KB

MD5
2cb77b068213dd7ceb3d72d3e0fc0bba

SHA1
393e655fec671a71555c7dd771b2497e3c4e5792

SHA256
f007f2436cc1206f32a02c859e40bf2db8ee324959c984ea7eaea1a1826cca85

SHA512
5a75e5f02e1161b40174fa9c4fca519962f013112712a6d711e7a13da11fad1cb7e1e6bef02b3bed3a02725e75c2e2eaa6c26da5066335b6f3638193afa3400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0338542.exe

Filesize
372KB

MD5
07fd094fa7b9688f240cb24f454a1393

SHA1
e3860515925fb28b901f9391a87bbae6fbdadf5f

SHA256
b0460bbafe323474312494667d228a45761bfd40c45711a848f82af9ccca09cd

SHA512
a411779e6a498e008f3d0c76e44357f5340e7739ad3293e1bb3295cae40fa226b206178ddfb601c2ba6947c19f5af4ba122280c5570974c64b1def0d5959cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0338542.exe

Filesize
372KB

MD5
07fd094fa7b9688f240cb24f454a1393

SHA1
e3860515925fb28b901f9391a87bbae6fbdadf5f

SHA256
b0460bbafe323474312494667d228a45761bfd40c45711a848f82af9ccca09cd

SHA512
a411779e6a498e008f3d0c76e44357f5340e7739ad3293e1bb3295cae40fa226b206178ddfb601c2ba6947c19f5af4ba122280c5570974c64b1def0d5959cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8833647.exe

Filesize
174KB

MD5
fff17dde660566cb8c91d06bed9409ff

SHA1
1231ec95cf8fd0f50aa207788fc18cdc2a7316cc

SHA256
0ef3a608fb658959d7ba12a3651d0c56baf544c6942080355fa07094f20e7e36

SHA512
2c9754a467588fa42d5d10bb8175fa05a16775ccd38a31040622aceecaa8d9d834260444474f95871adbcc8564fa99cf3f01c9d008888d7f6840442dbf41b25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8833647.exe

Filesize
174KB

MD5
fff17dde660566cb8c91d06bed9409ff

SHA1
1231ec95cf8fd0f50aa207788fc18cdc2a7316cc

SHA256
0ef3a608fb658959d7ba12a3651d0c56baf544c6942080355fa07094f20e7e36

SHA512
2c9754a467588fa42d5d10bb8175fa05a16775ccd38a31040622aceecaa8d9d834260444474f95871adbcc8564fa99cf3f01c9d008888d7f6840442dbf41b25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1339255.exe

Filesize
217KB

MD5
9733ee2c5acf1ae5e4781e229856c22a

SHA1
b3a98906f60ef999437bdaf567014899fedb6cae

SHA256
5765e30d3bc54d8ac1771d3870d5db3fb822ac34835288ceb2fc65523b7b6223

SHA512
5d2d46ce3cc7aaf8e95c1513269beacf5c5d87b837cbf98565c8899d169530404af2eb02432c3661b9052c8e5d4c28ee5636ba263e765657f611cf7c8ff2f6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1339255.exe

Filesize
217KB

MD5
9733ee2c5acf1ae5e4781e229856c22a

SHA1
b3a98906f60ef999437bdaf567014899fedb6cae

SHA256
5765e30d3bc54d8ac1771d3870d5db3fb822ac34835288ceb2fc65523b7b6223

SHA512
5d2d46ce3cc7aaf8e95c1513269beacf5c5d87b837cbf98565c8899d169530404af2eb02432c3661b9052c8e5d4c28ee5636ba263e765657f611cf7c8ff2f6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3859876.exe

Filesize
13KB

MD5
d905bd599ee4de7c8ea88c112d93f965

SHA1
7305dca89d8ed403a9eceb83041114f669e67abf

SHA256
29addb5d38931432a48ce1588ef11094e8c7dcc4e64b662d5120319e14d87290

SHA512
c6fb15c5cb6bbe52eacc4707eec34530df7e92ba0ba00c1b9383e692172184de22b5b78f616869b83dfc000ec748b3d7ae39f9ccb22bc8bb26ea78c0c5d689cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3859876.exe

Filesize
13KB

MD5
d905bd599ee4de7c8ea88c112d93f965

SHA1
7305dca89d8ed403a9eceb83041114f669e67abf

SHA256
29addb5d38931432a48ce1588ef11094e8c7dcc4e64b662d5120319e14d87290

SHA512
c6fb15c5cb6bbe52eacc4707eec34530df7e92ba0ba00c1b9383e692172184de22b5b78f616869b83dfc000ec748b3d7ae39f9ccb22bc8bb26ea78c0c5d689cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6503877.exe

Filesize
140KB

MD5
6f81bf99bdb3673385bca0021a807d81

SHA1
1ad4b331c4c9de6ab7fb80ec13dd07f0cafeee90

SHA256
828f0798beca093f9533081628e16954abbba4f5faab5fbb0b338294eae19770

SHA512
6dc73b7e8e5b6ac94cfa1f1e2e2aab05fe50e430a2366dfda319b455eb8b7909e65bef5bc975a7d2dec70c5de1445c75b4d3537c9363eeeb1d91e20183e289a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6503877.exe

Filesize
140KB

MD5
6f81bf99bdb3673385bca0021a807d81

SHA1
1ad4b331c4c9de6ab7fb80ec13dd07f0cafeee90

SHA256
828f0798beca093f9533081628e16954abbba4f5faab5fbb0b338294eae19770

SHA512
6dc73b7e8e5b6ac94cfa1f1e2e2aab05fe50e430a2366dfda319b455eb8b7909e65bef5bc975a7d2dec70c5de1445c75b4d3537c9363eeeb1d91e20183e289a0

Download Submit
memory/1404-45-0x0000000000420000-0x0000000000450000-memory.dmp

Filesize
192KB

Download
memory/1404-46-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-47-0x0000000000D30000-0x0000000000D36000-memory.dmp

Filesize
24KB

Download
memory/1404-48-0x000000000A720000-0x000000000AD26000-memory.dmp

Filesize
6.0MB

Download
memory/1404-49-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/1404-50-0x000000000A160000-0x000000000A172000-memory.dmp

Filesize
72KB

Download
memory/1404-51-0x000000000A1C0000-0x000000000A1FE000-memory.dmp

Filesize
248KB

Download
memory/1404-52-0x000000000A340000-0x000000000A38B000-memory.dmp

Filesize
300KB

Download
memory/1404-53-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4284-38-0x00007FF83ABE0000-0x00007FF83B5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4284-36-0x00007FF83ABE0000-0x00007FF83B5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4284-35-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download