healer | 7f17bcf36912f93161771f2ef5ccb5450890f2732e972ac7a3086fdc13538742

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

817KB
MD5

60395b7aeabc1c51da5e995a18095f27
SHA1

d7e1f3681becffdd4a8262d112459fc0c8e82d33
SHA256

7f17bcf36912f93161771f2ef5ccb5450890f2732e972ac7a3086fdc13538742
SHA512

0f062d69040f0d229305e397e8ef95bbf77316f9a53aeafaf72268c155e91ab5aa20b1d862cc6c58a3342de7748f03abd86bc707b7b5c07aaa8885825d95c65a
SSDEEP

24576:gyn0dvL90SHl5ZqzG23fJTmmJTtfST3tY:navvHhWhmd

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023215-33.dat	healer
behavioral2/files/0x0008000000023215-34.dat	healer
behavioral2/memory/224-35-0x0000000000820000-0x000000000082A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7084077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7084077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7084077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7084077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7084077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7084077.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4404	v2908346.exe
3772	v9079479.exe
3244	v1954258.exe
1708	v5899896.exe
224	a7084077.exe
1160	b3443784.exe
312	c3511737.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7084077.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1954258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5899896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2908346.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9079479.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
224	a7084077.exe
224	a7084077.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	a7084077.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4404	1712	file.exe	80
PID 1712 wrote to memory of 4404	1712	file.exe	80
PID 1712 wrote to memory of 4404	1712	file.exe	80
PID 4404 wrote to memory of 3772	4404	v2908346.exe	81
PID 4404 wrote to memory of 3772	4404	v2908346.exe	81
PID 4404 wrote to memory of 3772	4404	v2908346.exe	81
PID 3772 wrote to memory of 3244	3772	v9079479.exe	82
PID 3772 wrote to memory of 3244	3772	v9079479.exe	82
PID 3772 wrote to memory of 3244	3772	v9079479.exe	82
PID 3244 wrote to memory of 1708	3244	v1954258.exe	83
PID 3244 wrote to memory of 1708	3244	v1954258.exe	83
PID 3244 wrote to memory of 1708	3244	v1954258.exe	83
PID 1708 wrote to memory of 224	1708	v5899896.exe	84
PID 1708 wrote to memory of 224	1708	v5899896.exe	84
PID 1708 wrote to memory of 1160	1708	v5899896.exe	90
PID 1708 wrote to memory of 1160	1708	v5899896.exe	90
PID 1708 wrote to memory of 1160	1708	v5899896.exe	90
PID 3244 wrote to memory of 312	3244	v1954258.exe	91
PID 3244 wrote to memory of 312	3244	v1954258.exe	91
PID 3244 wrote to memory of 312	3244	v1954258.exe	91

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2908346.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2908346.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9079479.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9079479.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1954258.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1954258.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5899896.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5899896.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7084077.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7084077.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3443784.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3443784.exe
        6⤵
        Executes dropped EXE
        
        PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3511737.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3511737.exe
        5⤵
        Executes dropped EXE
        
        PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2908346.exe

Filesize
723KB

MD5
a9cab043d81eed1ad9636a521e0f1acd

SHA1
cb69f269a5ac003201b6dbd91a3fcbd2192e72f0

SHA256
70ac8a98b8a0c4e82f66f9ff65330e238aac0109c6cd245f06ad0b3a0e0b9a34

SHA512
20af9e138e2693aac3b60152291d0c5c67b6fa070ee91f5059ae0bb4660abde77c09a672b10754f6b1bf5c17ef9fda7b8d9eb5448f7974aeaea2a0e5d04bce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2908346.exe

Filesize
723KB

MD5
a9cab043d81eed1ad9636a521e0f1acd

SHA1
cb69f269a5ac003201b6dbd91a3fcbd2192e72f0

SHA256
70ac8a98b8a0c4e82f66f9ff65330e238aac0109c6cd245f06ad0b3a0e0b9a34

SHA512
20af9e138e2693aac3b60152291d0c5c67b6fa070ee91f5059ae0bb4660abde77c09a672b10754f6b1bf5c17ef9fda7b8d9eb5448f7974aeaea2a0e5d04bce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9079479.exe

Filesize
496KB

MD5
dad2e1b6bd7aadc8291bbb84217021d0

SHA1
7efc0cc9b5c30c22d263632dedc479d2d9b5aea0

SHA256
7c63fe704de3ef87b7ad4b467a0355392d9857c65f5b4e8d3e9cae0c1c12613a

SHA512
f661c94205b51603d441e1505db788262c272c473391e7f75797a53883a20d04d5208e4b7bf7787a4e38f2032506ec41e981f8f49fbff9fa87098c1e679bd354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9079479.exe

Filesize
496KB

MD5
dad2e1b6bd7aadc8291bbb84217021d0

SHA1
7efc0cc9b5c30c22d263632dedc479d2d9b5aea0

SHA256
7c63fe704de3ef87b7ad4b467a0355392d9857c65f5b4e8d3e9cae0c1c12613a

SHA512
f661c94205b51603d441e1505db788262c272c473391e7f75797a53883a20d04d5208e4b7bf7787a4e38f2032506ec41e981f8f49fbff9fa87098c1e679bd354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1954258.exe

Filesize
372KB

MD5
0ce59f653450e0407ef3c8990539ba1d

SHA1
d7d4407b5507042daa082c2e607009fe5f029320

SHA256
de403150d65fd12234a4e08ff34828ea0a74679459e33bf8be0f0e01cca0035b

SHA512
3140c9ead6196bc834f069f43375fa1962718629a161d544d7d1dc22bfca7f55e8d0e1af5cc8657dafc1805c61b088bafd2c7df2a192c2cd17bd3d126d727c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1954258.exe

Filesize
372KB

MD5
0ce59f653450e0407ef3c8990539ba1d

SHA1
d7d4407b5507042daa082c2e607009fe5f029320

SHA256
de403150d65fd12234a4e08ff34828ea0a74679459e33bf8be0f0e01cca0035b

SHA512
3140c9ead6196bc834f069f43375fa1962718629a161d544d7d1dc22bfca7f55e8d0e1af5cc8657dafc1805c61b088bafd2c7df2a192c2cd17bd3d126d727c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3511737.exe

Filesize
174KB

MD5
ba6fe4b9eff89123e880a95148fb240f

SHA1
6c3a0897b279c87093d92c3f1731317de787ae20

SHA256
c02fc64447a318819276baf6138d4d363b8565039bf1fd3dd994e4e4241d00ee

SHA512
770c1439e8349ec93f40ea4786b3d509c5f035ae174f48220fa0db502543ab600593bdd85f10fe14fde22b43b9a3692255cd1e7dc7c26affcd40a8f1ac1619ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3511737.exe

Filesize
174KB

MD5
ba6fe4b9eff89123e880a95148fb240f

SHA1
6c3a0897b279c87093d92c3f1731317de787ae20

SHA256
c02fc64447a318819276baf6138d4d363b8565039bf1fd3dd994e4e4241d00ee

SHA512
770c1439e8349ec93f40ea4786b3d509c5f035ae174f48220fa0db502543ab600593bdd85f10fe14fde22b43b9a3692255cd1e7dc7c26affcd40a8f1ac1619ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5899896.exe

Filesize
217KB

MD5
b4f7b4a050fca6ce5eb9c7ca731444c9

SHA1
64e0efba5392b23a382b9fc6e763e0515ac8baae

SHA256
e0481730bbb23f5a89bc22c21c46622a5c11a4f019480bd412034d3c04704041

SHA512
ca46de75828323068c0117fd4a9dce773edd50096065a8319bd4043bd061a12f01d696157155105cbffe9281111b0ad2f5d10ec3dc6a4e055ba201a2fed8d261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5899896.exe

Filesize
217KB

MD5
b4f7b4a050fca6ce5eb9c7ca731444c9

SHA1
64e0efba5392b23a382b9fc6e763e0515ac8baae

SHA256
e0481730bbb23f5a89bc22c21c46622a5c11a4f019480bd412034d3c04704041

SHA512
ca46de75828323068c0117fd4a9dce773edd50096065a8319bd4043bd061a12f01d696157155105cbffe9281111b0ad2f5d10ec3dc6a4e055ba201a2fed8d261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7084077.exe

Filesize
13KB

MD5
16aeba740104d15e9aa3d483f6a58a80

SHA1
a96fd07b168f7ff4a54a6059211a4985ec15b229

SHA256
2c44bb787cc2babad339e611d650bdd4b92f6809d26ba9b704b6e6459e3bb078

SHA512
2c00466336d8ab6e406e0f72d60c2180637fa657ea3b511657edf0cac531fb9a8300b7cb5705ddbfe61194c76cbcfab7dfba8af3c8fe087e13fdbdb14f538261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7084077.exe

Filesize
13KB

MD5
16aeba740104d15e9aa3d483f6a58a80

SHA1
a96fd07b168f7ff4a54a6059211a4985ec15b229

SHA256
2c44bb787cc2babad339e611d650bdd4b92f6809d26ba9b704b6e6459e3bb078

SHA512
2c00466336d8ab6e406e0f72d60c2180637fa657ea3b511657edf0cac531fb9a8300b7cb5705ddbfe61194c76cbcfab7dfba8af3c8fe087e13fdbdb14f538261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3443784.exe

Filesize
140KB

MD5
b4254e3c35035ddc26f2fb7c99c61146

SHA1
f36eb6e0229d0f94555770ee570be927bae4e5fe

SHA256
a26a843e984de710a3347cc31994393b335b3777f9f56b5754fb4f909b7ba843

SHA512
aae0eee0a36fbab65a8e26e0ce252d72ab75120bfa41be92995dfb36ef88daca4a78da950df7b2eab665471948f0246ed5aae4225bceb7653a044eb44018d071

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3443784.exe

Filesize
140KB

MD5
b4254e3c35035ddc26f2fb7c99c61146

SHA1
f36eb6e0229d0f94555770ee570be927bae4e5fe

SHA256
a26a843e984de710a3347cc31994393b335b3777f9f56b5754fb4f909b7ba843

SHA512
aae0eee0a36fbab65a8e26e0ce252d72ab75120bfa41be92995dfb36ef88daca4a78da950df7b2eab665471948f0246ed5aae4225bceb7653a044eb44018d071

Download Submit
memory/224-38-0x00007FF9BE960000-0x00007FF9BF421000-memory.dmp

Filesize
10.8MB

Download
memory/224-36-0x00007FF9BE960000-0x00007FF9BF421000-memory.dmp

Filesize
10.8MB

Download
memory/224-35-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/312-45-0x0000000000E10000-0x0000000000E40000-memory.dmp

Filesize
192KB

Download
memory/312-46-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/312-47-0x000000000B260000-0x000000000B878000-memory.dmp

Filesize
6.1MB

Download
memory/312-48-0x000000000ADC0000-0x000000000AECA000-memory.dmp

Filesize
1.0MB

Download
memory/312-50-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/312-49-0x000000000AD00000-0x000000000AD12000-memory.dmp

Filesize
72KB

Download
memory/312-51-0x000000000AD60000-0x000000000AD9C000-memory.dmp

Filesize
240KB

Download
memory/312-52-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/312-53-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download