healer | 2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe
Size

929KB
MD5

0d8297ec2033094e78713250a9220035
SHA1

cd37241dba9fc9e3dddc194be939abec1fb5730a
SHA256

2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb
SHA512

c77a42c3f9310a8d250e5717ebf6153e373463adb722160f9ca62f3c1351c0e4048f3cd5f44db7222db3d39d345eada5686c0be3041c0cf0cbf44d38b56946b5
SSDEEP

24576:zy/4V6xkaHDy0n/Y9lvJMIaCV+pzE4ICw:GbxB/Y9IIaCV+pzE4

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023232-33.dat	healer
behavioral1/files/0x0008000000023232-34.dat	healer
behavioral1/memory/2456-35-0x00000000008D0000-0x00000000008DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q4869006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q4869006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q4869006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q4869006.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q4869006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q4869006.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1812	z6849749.exe
2532	z1176577.exe
1356	z1607634.exe
1296	z9871440.exe
2456	q4869006.exe
1036	r3238047.exe
3904	s4604557.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q4869006.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6849749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1176577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1607634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9871440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4628	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2456	q4869006.exe
2456	q4869006.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	q4869006.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1812	1304	2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe	83
PID 1304 wrote to memory of 1812	1304	2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe	83
PID 1304 wrote to memory of 1812	1304	2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe	83
PID 1812 wrote to memory of 2532	1812	z6849749.exe	84
PID 1812 wrote to memory of 2532	1812	z6849749.exe	84
PID 1812 wrote to memory of 2532	1812	z6849749.exe	84
PID 2532 wrote to memory of 1356	2532	z1176577.exe	85
PID 2532 wrote to memory of 1356	2532	z1176577.exe	85
PID 2532 wrote to memory of 1356	2532	z1176577.exe	85
PID 1356 wrote to memory of 1296	1356	z1607634.exe	86
PID 1356 wrote to memory of 1296	1356	z1607634.exe	86
PID 1356 wrote to memory of 1296	1356	z1607634.exe	86
PID 1296 wrote to memory of 2456	1296	z9871440.exe	87
PID 1296 wrote to memory of 2456	1296	z9871440.exe	87
PID 1296 wrote to memory of 1036	1296	z9871440.exe	92
PID 1296 wrote to memory of 1036	1296	z9871440.exe	92
PID 1296 wrote to memory of 1036	1296	z9871440.exe	92
PID 1356 wrote to memory of 3904	1356	z1607634.exe	93
PID 1356 wrote to memory of 3904	1356	z1607634.exe	93
PID 1356 wrote to memory of 3904	1356	z1607634.exe	93

C:\Users\Admin\AppData\Local\Temp\2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe
"C:\Users\Admin\AppData\Local\Temp\2d9ca96b41ffce9394e57c3aad6bc9eecc473a0b6a6a2655193fb5eb796ac9bb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6849749.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6849749.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1176577.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1176577.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1607634.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1607634.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871440.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871440.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4869006.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4869006.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3238047.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3238047.exe
        6⤵
        Executes dropped EXE
        
        PID:1036
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4604557.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4604557.exe
        5⤵
        Executes dropped EXE
        
        PID:3904

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6849749.exe

Filesize
825KB

MD5
dea4e6e01618471f6c8858476dcb10ce

SHA1
88231bf8c6f5b8764517563e0052def6777070cb

SHA256
5002885f71e12500b638044744842b92f3bd31e15c89a7b23c4c55f914a4b588

SHA512
8f1297f8909b1b41f9bfd2502877097841cee0e3fb3027adb2892675951f8affca3324f2d856b9dc213440a5f96c630e4c5a9951b0464d69fb7844167cadf524

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6849749.exe

Filesize
825KB

MD5
dea4e6e01618471f6c8858476dcb10ce

SHA1
88231bf8c6f5b8764517563e0052def6777070cb

SHA256
5002885f71e12500b638044744842b92f3bd31e15c89a7b23c4c55f914a4b588

SHA512
8f1297f8909b1b41f9bfd2502877097841cee0e3fb3027adb2892675951f8affca3324f2d856b9dc213440a5f96c630e4c5a9951b0464d69fb7844167cadf524

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1176577.exe

Filesize
599KB

MD5
2290ef53be661eb170ef2fd3a1d9cff5

SHA1
5e546da698761c69f16c681fe9440bb46c65ca91

SHA256
796eb55cc621982d725f9ade655c27fa17d2a6fad93c5a8cd58f01ade20c3c46

SHA512
7b236aa8ca33947b5adbe85319669f31492b6b8d07f43bbba251ea53c614b1a4f9dfe0d395d4e419cb1064c6375bdb03a8ff49d9be76ab676752cd69b10d9c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1176577.exe

Filesize
599KB

MD5
2290ef53be661eb170ef2fd3a1d9cff5

SHA1
5e546da698761c69f16c681fe9440bb46c65ca91

SHA256
796eb55cc621982d725f9ade655c27fa17d2a6fad93c5a8cd58f01ade20c3c46

SHA512
7b236aa8ca33947b5adbe85319669f31492b6b8d07f43bbba251ea53c614b1a4f9dfe0d395d4e419cb1064c6375bdb03a8ff49d9be76ab676752cd69b10d9c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1607634.exe

Filesize
372KB

MD5
9c2f5cfa9b9ba4080a469244aee4bbe6

SHA1
c21913767e6199e17a2df94d2f2b2ead87c28f06

SHA256
933a670d7b08cb031d213e7d76ff7789f907b33a002ed51024b7e41b74368397

SHA512
08261e8035b6bda1d1f1d7b2372364693532b793550bd7f68952d2441f0e01177fb5ea6de695da712c512f7d2fda47a1b86bdbc41b6d4f3da093d97170ae28e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1607634.exe

Filesize
372KB

MD5
9c2f5cfa9b9ba4080a469244aee4bbe6

SHA1
c21913767e6199e17a2df94d2f2b2ead87c28f06

SHA256
933a670d7b08cb031d213e7d76ff7789f907b33a002ed51024b7e41b74368397

SHA512
08261e8035b6bda1d1f1d7b2372364693532b793550bd7f68952d2441f0e01177fb5ea6de695da712c512f7d2fda47a1b86bdbc41b6d4f3da093d97170ae28e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4604557.exe

Filesize
174KB

MD5
b4339e9a89edfb509130b6c83eeca7cc

SHA1
90df832f3a3a9411b3a8c26fb4de7baf62a15d9f

SHA256
cbdbd93620ad25fc06460f655c26e8a95567aa4da866cdf5336f43b8ba70d243

SHA512
af751e1b2d1050cf2399d2f55229321f82a3eb2a72b09551f97a8202554086194e8b1d52e9d32f8b894b3366210c79d007fd2cad86d80a1e30fd73dd882c54d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4604557.exe

Filesize
174KB

MD5
b4339e9a89edfb509130b6c83eeca7cc

SHA1
90df832f3a3a9411b3a8c26fb4de7baf62a15d9f

SHA256
cbdbd93620ad25fc06460f655c26e8a95567aa4da866cdf5336f43b8ba70d243

SHA512
af751e1b2d1050cf2399d2f55229321f82a3eb2a72b09551f97a8202554086194e8b1d52e9d32f8b894b3366210c79d007fd2cad86d80a1e30fd73dd882c54d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871440.exe

Filesize
217KB

MD5
c177d7020dc05e60812fb72a21af9f27

SHA1
aadb572552e4aa3d8deb68e8ab20f57fcf46483a

SHA256
76ecc77394f2cd5f9205427e1343c032bffa4bb5152aac71035dd49800b6d8d3

SHA512
9b600a6769ac051934925b32c86eb7239f875648cba2d8eae8f1ef6c3688d99a9fb95818e0277541c6b66f4220407cc79c8cb2a701d7cd2c8eee5db8f764c145

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871440.exe

Filesize
217KB

MD5
c177d7020dc05e60812fb72a21af9f27

SHA1
aadb572552e4aa3d8deb68e8ab20f57fcf46483a

SHA256
76ecc77394f2cd5f9205427e1343c032bffa4bb5152aac71035dd49800b6d8d3

SHA512
9b600a6769ac051934925b32c86eb7239f875648cba2d8eae8f1ef6c3688d99a9fb95818e0277541c6b66f4220407cc79c8cb2a701d7cd2c8eee5db8f764c145

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4869006.exe

Filesize
17KB

MD5
59278f26016a49d18962d9593eea55b5

SHA1
d9fda6c7ba5e332e78192bbc1b04132ea0b67479

SHA256
d50f44a743cd1f9f8ea38d95e414cc7c3d72a2715e379af866cbde5d92f9b33b

SHA512
efbb27e79db09e4aeba9034aa31a638325f2eb518f54303c1078bbd5db6a2540c4345d1b5ef9eaa16da771b8d07674b2540edb3c323e43d3d860647a4e6f8379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4869006.exe

Filesize
17KB

MD5
59278f26016a49d18962d9593eea55b5

SHA1
d9fda6c7ba5e332e78192bbc1b04132ea0b67479

SHA256
d50f44a743cd1f9f8ea38d95e414cc7c3d72a2715e379af866cbde5d92f9b33b

SHA512
efbb27e79db09e4aeba9034aa31a638325f2eb518f54303c1078bbd5db6a2540c4345d1b5ef9eaa16da771b8d07674b2540edb3c323e43d3d860647a4e6f8379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3238047.exe

Filesize
141KB

MD5
de030c5ee101199b8e3c254b3c24aa76

SHA1
f1346fb5c2728f93f903eb578e125cce91337395

SHA256
90d771fbb6cd88fd73dce1f8d841d1b2d57e0d49d17c5515c01d29f421ad3fcd

SHA512
c88aced6f81b2011fea4713f715e56015eb61fca377cf67e760743aedc00d0a5f11d084262b9ab32fee5967f1ff8223d06d3e7bdcb7bfcef86bc85f470fe5ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3238047.exe

Filesize
141KB

MD5
de030c5ee101199b8e3c254b3c24aa76

SHA1
f1346fb5c2728f93f903eb578e125cce91337395

SHA256
90d771fbb6cd88fd73dce1f8d841d1b2d57e0d49d17c5515c01d29f421ad3fcd

SHA512
c88aced6f81b2011fea4713f715e56015eb61fca377cf67e760743aedc00d0a5f11d084262b9ab32fee5967f1ff8223d06d3e7bdcb7bfcef86bc85f470fe5ec2

Download Submit
memory/2456-38-0x00007FFCEC210000-0x00007FFCECCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2456-36-0x00007FFCEC210000-0x00007FFCECCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2456-35-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/3904-45-0x0000000000880000-0x00000000008B0000-memory.dmp

Filesize
192KB

Download
memory/3904-46-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/3904-47-0x0000000005970000-0x0000000005F88000-memory.dmp

Filesize
6.1MB

Download
memory/3904-48-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/3904-49-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3904-50-0x0000000005350000-0x0000000005362000-memory.dmp

Filesize
72KB

Download
memory/3904-51-0x00000000053B0000-0x00000000053EC000-memory.dmp

Filesize
240KB

Download
memory/3904-52-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/3904-53-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download