healer | 1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e

Analysis

max time kernel
145s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26-08-2023 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe
Size

930KB
MD5

b2b9241d65f9d2b78ac5a6dc8c2a41be
SHA1

3517f0df77a613b3147520788a0fa5d82eef67fa
SHA256

1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e
SHA512

c9156e2f8fcab54a9d79b1a4ef9696ed1dc89b8e210d77a872b93e130c49e5ccd2266aeb21f2e3d6632d687a286e30f6fe8ac35db8cb05db3eb107d3a578c408
SSDEEP

12288:DMrCy90AzOJvIBlayCMnBkdfkDNSCXZGEiFud5GIg+sVDokgQ8dzmtducS2jXxu9:dy3mksM+REiFudtkgkd3Dxkb

Score

10^/10

healer redline jaja dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jaja

77.91.124.73:19071

Attributes

auth_value
3670179d176ca399ed08e7914610b43c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc6-33.dat	healer
behavioral1/files/0x000700000001afc6-34.dat	healer
behavioral1/memory/2940-35-0x0000000000680000-0x000000000068A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9014702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9014702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9014702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9014702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9014702.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4532	z0642581.exe
1504	z0542606.exe
4628	z7243327.exe
2272	z9667488.exe
2940	q9014702.exe
3288	r9858423.exe
5060	s1900260.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9014702.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0642581.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0542606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7243327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9667488.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	q9014702.exe
2940	q9014702.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	q9014702.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4532	4796	1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe	70
PID 4796 wrote to memory of 4532	4796	1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe	70
PID 4796 wrote to memory of 4532	4796	1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe	70
PID 4532 wrote to memory of 1504	4532	z0642581.exe	71
PID 4532 wrote to memory of 1504	4532	z0642581.exe	71
PID 4532 wrote to memory of 1504	4532	z0642581.exe	71
PID 1504 wrote to memory of 4628	1504	z0542606.exe	72
PID 1504 wrote to memory of 4628	1504	z0542606.exe	72
PID 1504 wrote to memory of 4628	1504	z0542606.exe	72
PID 4628 wrote to memory of 2272	4628	z7243327.exe	73
PID 4628 wrote to memory of 2272	4628	z7243327.exe	73
PID 4628 wrote to memory of 2272	4628	z7243327.exe	73
PID 2272 wrote to memory of 2940	2272	z9667488.exe	74
PID 2272 wrote to memory of 2940	2272	z9667488.exe	74
PID 2272 wrote to memory of 3288	2272	z9667488.exe	75
PID 2272 wrote to memory of 3288	2272	z9667488.exe	75
PID 2272 wrote to memory of 3288	2272	z9667488.exe	75
PID 4628 wrote to memory of 5060	4628	z7243327.exe	76
PID 4628 wrote to memory of 5060	4628	z7243327.exe	76
PID 4628 wrote to memory of 5060	4628	z7243327.exe	76

C:\Users\Admin\AppData\Local\Temp\1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe
"C:\Users\Admin\AppData\Local\Temp\1cfcc46aa3d0e9b0c1581d73dd119bfefe2a06f4eeee43527cffcb0b08282f9e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0642581.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0642581.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0542606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0542606.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7243327.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7243327.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9667488.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9667488.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9014702.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9014702.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9858423.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9858423.exe
        6⤵
        Executes dropped EXE
        
        PID:3288
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1900260.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1900260.exe
        5⤵
        Executes dropped EXE
        
        PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0642581.exe

Filesize
825KB

MD5
8380a06981c94fbf597f71334a82a643

SHA1
b1753c23e1ae99c04f75b4e9acbaf8e15ab34426

SHA256
fc61716b3b0b461f195496d67f3bfdc4e050a387d1cd2d62b5b86a76a808be6c

SHA512
79177d68134b144e04e64f3f6fdeb6d919873b2caf212fa73be78cedb824ac2fb3114120c75b067f55ea352fa73dc12714e7de0004baa22779250205146418b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0642581.exe

Filesize
825KB

MD5
8380a06981c94fbf597f71334a82a643

SHA1
b1753c23e1ae99c04f75b4e9acbaf8e15ab34426

SHA256
fc61716b3b0b461f195496d67f3bfdc4e050a387d1cd2d62b5b86a76a808be6c

SHA512
79177d68134b144e04e64f3f6fdeb6d919873b2caf212fa73be78cedb824ac2fb3114120c75b067f55ea352fa73dc12714e7de0004baa22779250205146418b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0542606.exe

Filesize
599KB

MD5
fd130261d24a44329279bb7a65d3ff03

SHA1
dfe8097530346f257fe5558dd5fd61e3d78c0761

SHA256
fb7eb4331dfd2db0dc00315f87632466fab1d1e1cc2b1c0cd3553521f8f4d72c

SHA512
38083ef04f4823712f4c3b4ea9d7d9af3c9292888d8033b6626b8c9c6c6407b887bafae203d0746a31b20991a33915c7ed71e32feb06abd86c74c03dff2eb8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0542606.exe

Filesize
599KB

MD5
fd130261d24a44329279bb7a65d3ff03

SHA1
dfe8097530346f257fe5558dd5fd61e3d78c0761

SHA256
fb7eb4331dfd2db0dc00315f87632466fab1d1e1cc2b1c0cd3553521f8f4d72c

SHA512
38083ef04f4823712f4c3b4ea9d7d9af3c9292888d8033b6626b8c9c6c6407b887bafae203d0746a31b20991a33915c7ed71e32feb06abd86c74c03dff2eb8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7243327.exe

Filesize
373KB

MD5
ed4a9113f61329cb58704dece69d1348

SHA1
a68dd5e0631191af67bb7dd4a8c47e2cc11d9582

SHA256
8820759abb22e2dc0c37e0766541fbdc064ff5577a987c47287c3004ff76c4fd

SHA512
6f6fea600e8ccc554e1f94fb206118637693c7b44ff4b36d9ad4a3ab1d6b9807cf93d45ad0ece5a18043bdb076f7c8b87bdaeced680a90250c257c3e07177c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7243327.exe

Filesize
373KB

MD5
ed4a9113f61329cb58704dece69d1348

SHA1
a68dd5e0631191af67bb7dd4a8c47e2cc11d9582

SHA256
8820759abb22e2dc0c37e0766541fbdc064ff5577a987c47287c3004ff76c4fd

SHA512
6f6fea600e8ccc554e1f94fb206118637693c7b44ff4b36d9ad4a3ab1d6b9807cf93d45ad0ece5a18043bdb076f7c8b87bdaeced680a90250c257c3e07177c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1900260.exe

Filesize
174KB

MD5
abb1d86768df1e2a269224df9e3696b9

SHA1
9912dff3625ebc742405701e13e32bc69dec9073

SHA256
d4c96814e6253a3070ea1602d013f6110a2cd9b21454307f253f1d8833e04bb1

SHA512
00bd0dbff130ef4817b7038f31c073c84d41ef19c496a77ea377ffe75206539fdea923fca08cc7342457bd58bc9225c55ae2674643d735c4359aab3c1222242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1900260.exe

Filesize
174KB

MD5
abb1d86768df1e2a269224df9e3696b9

SHA1
9912dff3625ebc742405701e13e32bc69dec9073

SHA256
d4c96814e6253a3070ea1602d013f6110a2cd9b21454307f253f1d8833e04bb1

SHA512
00bd0dbff130ef4817b7038f31c073c84d41ef19c496a77ea377ffe75206539fdea923fca08cc7342457bd58bc9225c55ae2674643d735c4359aab3c1222242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9667488.exe

Filesize
217KB

MD5
dd24cb11685b9ef2c3c05cc4fbb627e2

SHA1
4a6244d261a3f13bf6b9c3adf200a3e88b6c5e33

SHA256
9ec1a24569d6082dabddb53ea98b5e05709f1f4185ee19594499f7a1a92c0c76

SHA512
637d2d128cd0861feece7be4c61b08bc3e9e20091d3a226dba4c2ec9c99dfeedb28b3bbd4558e81f2d8b043fef1a62728c9f1908cd32b71c01691df32447fedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9667488.exe

Filesize
217KB

MD5
dd24cb11685b9ef2c3c05cc4fbb627e2

SHA1
4a6244d261a3f13bf6b9c3adf200a3e88b6c5e33

SHA256
9ec1a24569d6082dabddb53ea98b5e05709f1f4185ee19594499f7a1a92c0c76

SHA512
637d2d128cd0861feece7be4c61b08bc3e9e20091d3a226dba4c2ec9c99dfeedb28b3bbd4558e81f2d8b043fef1a62728c9f1908cd32b71c01691df32447fedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9014702.exe

Filesize
14KB

MD5
4db0d7e2dc0421230ca375d55cf1ba2e

SHA1
874ebf98e6d99df6be36499acd07c42058ebf6bb

SHA256
e228fa0375b00c7c6495d76cd64fd3fb235472a0eef3f668ef4d44d9bf98e407

SHA512
dfd5479bfcc25155a55bece60a90a17e8ad2cab8d045d4061ca7d99c1e3f762ab571246cb69c3fd7b5e1b6269405adc963dc54a79e7e83d79d55cef43acdff76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9014702.exe

Filesize
14KB

MD5
4db0d7e2dc0421230ca375d55cf1ba2e

SHA1
874ebf98e6d99df6be36499acd07c42058ebf6bb

SHA256
e228fa0375b00c7c6495d76cd64fd3fb235472a0eef3f668ef4d44d9bf98e407

SHA512
dfd5479bfcc25155a55bece60a90a17e8ad2cab8d045d4061ca7d99c1e3f762ab571246cb69c3fd7b5e1b6269405adc963dc54a79e7e83d79d55cef43acdff76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9858423.exe

Filesize
141KB

MD5
a668202aed88c6086e93e71e5db95910

SHA1
ad84242c03c8f16bdbd9179e01514c8663eb61d3

SHA256
68a317790750e5ca05d879496fba7ba1b02581a2d283f10494c1d97cca98b2e7

SHA512
c868a7c1df4a0a0b07fa13481f263ded9e39e1aeb7a7f75e4025dab6ba8f3983977dd83bb52ae0a2ffa9457b84340f1d035ae86941f13d315c56cfa928eb5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9858423.exe

Filesize
141KB

MD5
a668202aed88c6086e93e71e5db95910

SHA1
ad84242c03c8f16bdbd9179e01514c8663eb61d3

SHA256
68a317790750e5ca05d879496fba7ba1b02581a2d283f10494c1d97cca98b2e7

SHA512
c868a7c1df4a0a0b07fa13481f263ded9e39e1aeb7a7f75e4025dab6ba8f3983977dd83bb52ae0a2ffa9457b84340f1d035ae86941f13d315c56cfa928eb5aae

Download Submit
memory/2940-38-0x00007FFF7FC30000-0x00007FFF8061C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-36-0x00007FFF7FC30000-0x00007FFF8061C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-35-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/5060-45-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/5060-46-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/5060-47-0x0000000003040000-0x0000000003046000-memory.dmp

Filesize
24KB

Download
memory/5060-48-0x000000000B170000-0x000000000B776000-memory.dmp

Filesize
6.0MB

Download
memory/5060-49-0x000000000AC70000-0x000000000AD7A000-memory.dmp

Filesize
1.0MB

Download
memory/5060-50-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/5060-51-0x000000000ABA0000-0x000000000ABDE000-memory.dmp

Filesize
248KB

Download
memory/5060-52-0x000000000ABE0000-0x000000000AC2B000-memory.dmp

Filesize
300KB

Download
memory/5060-53-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download