healer | ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe
Size

930KB
MD5

24346da7ae9c5b1ff35fc2ab06b9038b
SHA1

ba9401432b4bb41f55c7a9b4b6857ef5b3e069fe
SHA256

ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32
SHA512

8dd00842537643e9fb3fc089bdd6d7601d996e11b5b59efc217eebbd9dafb2044d74d250ee99ec87b2d7b21a5f4f7219b1ff697b7dcec4cd633e70e6ae685d37
SSDEEP

24576:HyZCS98aGeomWjunsijLy0ju69lrx3AvCwtERIoFwoCf+:Sog8NnSLK67l3ICvuG

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023212-33.dat	healer
behavioral1/files/0x0007000000023212-34.dat	healer
behavioral1/memory/4728-35-0x0000000000B00000-0x0000000000B0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q2724148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q2724148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q2724148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q2724148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q2724148.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q2724148.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
324	z9597807.exe
4840	z9542412.exe
4952	z8366943.exe
2956	z2598250.exe
4728	q2724148.exe
4428	r1081982.exe
5108	s5057474.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q2724148.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9597807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9542412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8366943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2598250.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4588	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4728	q2724148.exe
4728	q2724148.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	q2724148.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 324	2160	ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe	81
PID 2160 wrote to memory of 324	2160	ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe	81
PID 2160 wrote to memory of 324	2160	ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe	81
PID 324 wrote to memory of 4840	324	z9597807.exe	82
PID 324 wrote to memory of 4840	324	z9597807.exe	82
PID 324 wrote to memory of 4840	324	z9597807.exe	82
PID 4840 wrote to memory of 4952	4840	z9542412.exe	83
PID 4840 wrote to memory of 4952	4840	z9542412.exe	83
PID 4840 wrote to memory of 4952	4840	z9542412.exe	83
PID 4952 wrote to memory of 2956	4952	z8366943.exe	84
PID 4952 wrote to memory of 2956	4952	z8366943.exe	84
PID 4952 wrote to memory of 2956	4952	z8366943.exe	84
PID 2956 wrote to memory of 4728	2956	z2598250.exe	85
PID 2956 wrote to memory of 4728	2956	z2598250.exe	85
PID 2956 wrote to memory of 4428	2956	z2598250.exe	90
PID 2956 wrote to memory of 4428	2956	z2598250.exe	90
PID 2956 wrote to memory of 4428	2956	z2598250.exe	90
PID 4952 wrote to memory of 5108	4952	z8366943.exe	91
PID 4952 wrote to memory of 5108	4952	z8366943.exe	91
PID 4952 wrote to memory of 5108	4952	z8366943.exe	91

C:\Users\Admin\AppData\Local\Temp\ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe
"C:\Users\Admin\AppData\Local\Temp\ecf6336a1803eed2fb4644a389cba341b2e1084badfd080ee2e417ff3a5edd32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9597807.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9597807.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9542412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9542412.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8366943.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8366943.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2598250.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2598250.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2724148.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2724148.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1081982.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1081982.exe
        6⤵
        Executes dropped EXE
        
        PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5057474.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5057474.exe
        5⤵
        Executes dropped EXE
        
        PID:5108

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9597807.exe

Filesize
824KB

MD5
6fa1a4c1895c70ba15a6550b60e70433

SHA1
11b2142ba1553c81b340f8e2a249c21bf15ca362

SHA256
00bd3d778ed1b504eeaf6558ba83a1aa965bc9653c843751222ad8bd54845c2d

SHA512
f26f5826fdaa9faf62ea41e1e76b1eb6e038aa3469a84dc7f7b034c2d660efd08eef3180b7c2d74b160fa4b9642895bbb381d3676c3e1f653e49eacaf5fc09cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9597807.exe

Filesize
824KB

MD5
6fa1a4c1895c70ba15a6550b60e70433

SHA1
11b2142ba1553c81b340f8e2a249c21bf15ca362

SHA256
00bd3d778ed1b504eeaf6558ba83a1aa965bc9653c843751222ad8bd54845c2d

SHA512
f26f5826fdaa9faf62ea41e1e76b1eb6e038aa3469a84dc7f7b034c2d660efd08eef3180b7c2d74b160fa4b9642895bbb381d3676c3e1f653e49eacaf5fc09cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9542412.exe

Filesize
597KB

MD5
89f24c60c3809c8eb872771a4e77afff

SHA1
6d6df18f0e5a0ade23869ec80c752d440c1e2674

SHA256
c9b0b180ab36ea90afff3ed9c5adf8665e909d9f9b1ad1831131e879b07756c2

SHA512
59ddf0bf2e4a9d28207a1b82765d5b65628674e94e4df89572a00d3592e5018dbc712dc3cfc7167ce90ce8478526356d24fa7ef7fec705f5c1d9a58f650609eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9542412.exe

Filesize
597KB

MD5
89f24c60c3809c8eb872771a4e77afff

SHA1
6d6df18f0e5a0ade23869ec80c752d440c1e2674

SHA256
c9b0b180ab36ea90afff3ed9c5adf8665e909d9f9b1ad1831131e879b07756c2

SHA512
59ddf0bf2e4a9d28207a1b82765d5b65628674e94e4df89572a00d3592e5018dbc712dc3cfc7167ce90ce8478526356d24fa7ef7fec705f5c1d9a58f650609eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8366943.exe

Filesize
372KB

MD5
58a07d337bc83cac6245a0640f3f208e

SHA1
e95160598e3b72c1b5210c7314bf33706a8d3e70

SHA256
a0e86548951bafcaa009381b726228fd1d5438dde5f2f3305e21a3cff3b89822

SHA512
d799beae9ff8d7dba8b72a6d14040c28bb85d3e8a7c94381f2809fea57f17b388da6a2806756849089c9f5f7aad8ce330d0c9cc3c7152e307e1a301548a64326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8366943.exe

Filesize
372KB

MD5
58a07d337bc83cac6245a0640f3f208e

SHA1
e95160598e3b72c1b5210c7314bf33706a8d3e70

SHA256
a0e86548951bafcaa009381b726228fd1d5438dde5f2f3305e21a3cff3b89822

SHA512
d799beae9ff8d7dba8b72a6d14040c28bb85d3e8a7c94381f2809fea57f17b388da6a2806756849089c9f5f7aad8ce330d0c9cc3c7152e307e1a301548a64326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5057474.exe

Filesize
174KB

MD5
f7c5d3a9306ad81fbbb7c4d53873e14b

SHA1
f62e03f82df4650d946a58c9f4c213da2b9250c1

SHA256
33546bd8fa7e6322045e986399aabec12752377db86352d9c570c0691bb8a30d

SHA512
fb4dfe8839825179eddbaa20ae667204f9815a5bbdef169686e817ff1eef4da245b56fe64fec647033fee6c0d454a602e1a0bcdced214a93043400e0956e53b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5057474.exe

Filesize
174KB

MD5
f7c5d3a9306ad81fbbb7c4d53873e14b

SHA1
f62e03f82df4650d946a58c9f4c213da2b9250c1

SHA256
33546bd8fa7e6322045e986399aabec12752377db86352d9c570c0691bb8a30d

SHA512
fb4dfe8839825179eddbaa20ae667204f9815a5bbdef169686e817ff1eef4da245b56fe64fec647033fee6c0d454a602e1a0bcdced214a93043400e0956e53b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2598250.exe

Filesize
217KB

MD5
734e6e1f2996c99a58b7fda663c07bc8

SHA1
89c0618101cee004a83c1f32f75b4530c3229309

SHA256
6db2923fb1e771dec22455f17f2552227d822f7d4c956813008bcddc602113e2

SHA512
24c3275301a662084de4f25ac76b038c01e54c144b21f54cdbb052fc2a8bcd594460a5b6ce27b4c43349fcb3fdee11f0681bbd1cf3a68af49a5b37707bc75c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2598250.exe

Filesize
217KB

MD5
734e6e1f2996c99a58b7fda663c07bc8

SHA1
89c0618101cee004a83c1f32f75b4530c3229309

SHA256
6db2923fb1e771dec22455f17f2552227d822f7d4c956813008bcddc602113e2

SHA512
24c3275301a662084de4f25ac76b038c01e54c144b21f54cdbb052fc2a8bcd594460a5b6ce27b4c43349fcb3fdee11f0681bbd1cf3a68af49a5b37707bc75c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2724148.exe

Filesize
13KB

MD5
416b4a1b44da54639c18c25ed4e9a535

SHA1
141f122498ef69139c691de61f0017411db18ad8

SHA256
d51ad9b2f40ef90b0db7a60955c583d82ed32530ce7a9c6394930fbf604724c7

SHA512
eff9beef7ddc4040d9a955e3f3e7daf0b44c5b9faec1145a96266234226564331aad2375af1817dc419338027f4236d49daae2ba49f7560a9f95f99aba3490fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2724148.exe

Filesize
13KB

MD5
416b4a1b44da54639c18c25ed4e9a535

SHA1
141f122498ef69139c691de61f0017411db18ad8

SHA256
d51ad9b2f40ef90b0db7a60955c583d82ed32530ce7a9c6394930fbf604724c7

SHA512
eff9beef7ddc4040d9a955e3f3e7daf0b44c5b9faec1145a96266234226564331aad2375af1817dc419338027f4236d49daae2ba49f7560a9f95f99aba3490fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1081982.exe

Filesize
140KB

MD5
4ec4faca4459659c6aa31c50136ec7a6

SHA1
f1dac6cc2affb012ad9f88e427deea979085b053

SHA256
42ec66f35f0d382a027870d0737e94543b3db39627f39885039aa0e530dbdcab

SHA512
8a00b318b4b7ed0128951153ed2bfb9077b8bdcf3f68ad2fb1715779e5fd211180272829095542e5e1dc09180d6893320acd702ff56e5db9d70f87bf845e860e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1081982.exe

Filesize
140KB

MD5
4ec4faca4459659c6aa31c50136ec7a6

SHA1
f1dac6cc2affb012ad9f88e427deea979085b053

SHA256
42ec66f35f0d382a027870d0737e94543b3db39627f39885039aa0e530dbdcab

SHA512
8a00b318b4b7ed0128951153ed2bfb9077b8bdcf3f68ad2fb1715779e5fd211180272829095542e5e1dc09180d6893320acd702ff56e5db9d70f87bf845e860e

Download Submit
memory/4728-38-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/4728-36-0x00007FFA364C0000-0x00007FFA36F81000-memory.dmp

Filesize
10.8MB

Download
memory/4728-35-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/5108-45-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

Filesize
192KB

Download
memory/5108-46-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5108-47-0x0000000005FC0000-0x00000000065D8000-memory.dmp

Filesize
6.1MB

Download
memory/5108-48-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

Filesize
1.0MB

Download
memory/5108-50-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/5108-49-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/5108-51-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/5108-52-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5108-53-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download