healer | 7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec

Analysis

max time kernel
146s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe
Size

923KB
MD5

13b7aa03933d7ba75aed7e03017f56f1
SHA1

5dfb3811cdc6cf6c20ab029774732260f65e11b0
SHA256

7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec
SHA512

55080b87d27653970ac4268b831d7a5d3b19310651928b31115cad5f3a9b4bde45af509c1ac8ea24764cf566dfda0f257a6e627a9886c3dde8d02c01035abea6
SSDEEP

24576:eySByhXxjhyrS2H2JbzICYUmucRQPy419:tSyj6Xmz/TcROy

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afda-33.dat	healer
behavioral1/files/0x000700000001afda-34.dat	healer
behavioral1/memory/3040-35-0x00000000005A0000-0x00000000005AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9744451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9744451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9744451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9744451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9744451.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4140	z7633189.exe
2520	z0526831.exe
3820	z0910527.exe
1520	z3789805.exe
3040	q9744451.exe
4316	r0790742.exe
1988	s0421265.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9744451.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7633189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0526831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0910527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3789805.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	q9744451.exe
3040	q9744451.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	q9744451.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4140	4112	7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe	69
PID 4112 wrote to memory of 4140	4112	7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe	69
PID 4112 wrote to memory of 4140	4112	7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe	69
PID 4140 wrote to memory of 2520	4140	z7633189.exe	70
PID 4140 wrote to memory of 2520	4140	z7633189.exe	70
PID 4140 wrote to memory of 2520	4140	z7633189.exe	70
PID 2520 wrote to memory of 3820	2520	z0526831.exe	71
PID 2520 wrote to memory of 3820	2520	z0526831.exe	71
PID 2520 wrote to memory of 3820	2520	z0526831.exe	71
PID 3820 wrote to memory of 1520	3820	z0910527.exe	72
PID 3820 wrote to memory of 1520	3820	z0910527.exe	72
PID 3820 wrote to memory of 1520	3820	z0910527.exe	72
PID 1520 wrote to memory of 3040	1520	z3789805.exe	73
PID 1520 wrote to memory of 3040	1520	z3789805.exe	73
PID 1520 wrote to memory of 4316	1520	z3789805.exe	74
PID 1520 wrote to memory of 4316	1520	z3789805.exe	74
PID 1520 wrote to memory of 4316	1520	z3789805.exe	74
PID 3820 wrote to memory of 1988	3820	z0910527.exe	75
PID 3820 wrote to memory of 1988	3820	z0910527.exe	75
PID 3820 wrote to memory of 1988	3820	z0910527.exe	75

C:\Users\Admin\AppData\Local\Temp\7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe
"C:\Users\Admin\AppData\Local\Temp\7c1869d1570b2353a2ec38f2908c870e4d1c6f35aa3444eefd71b89491fb09ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7633189.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7633189.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0526831.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0526831.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0910527.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0910527.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3789805.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3789805.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9744451.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9744451.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0790742.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0790742.exe
        6⤵
        Executes dropped EXE
        
        PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0421265.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0421265.exe
        5⤵
        Executes dropped EXE
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7633189.exe

Filesize
825KB

MD5
d99ab91d8ff3c94edea997ce9a00f906

SHA1
0b472e1ed5b496b465008a198cedeb0e849c0388

SHA256
cb6068473f777c28cc6ad831061fec17c8c08e3dc825e0a614b1ff513cf75dda

SHA512
daf2c997e5024d5ed9c2c25bbadf641315c43ccf4e108aa62556fbd449e8e54b14fc1f6301b18b9b071dcd5212ee459ea3870351e42442202a58494fb611a8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7633189.exe

Filesize
825KB

MD5
d99ab91d8ff3c94edea997ce9a00f906

SHA1
0b472e1ed5b496b465008a198cedeb0e849c0388

SHA256
cb6068473f777c28cc6ad831061fec17c8c08e3dc825e0a614b1ff513cf75dda

SHA512
daf2c997e5024d5ed9c2c25bbadf641315c43ccf4e108aa62556fbd449e8e54b14fc1f6301b18b9b071dcd5212ee459ea3870351e42442202a58494fb611a8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0526831.exe

Filesize
599KB

MD5
8e9b5bc0372a92f98181f2ce67289256

SHA1
b9de9710a4769edda624500d2dee909313898ee6

SHA256
ca7045406eea1c211d571ea0c7c9b37e7ef76a6f818f70d219a9f71afa67b16b

SHA512
2e7643d4cc253cfd909292c9a760ca7cdfa9ee69fd215d2310631506413f620fe8eba3a3674839077f38aebd64afe8b94e56fee1ca7516ed4de67ae35be5b2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0526831.exe

Filesize
599KB

MD5
8e9b5bc0372a92f98181f2ce67289256

SHA1
b9de9710a4769edda624500d2dee909313898ee6

SHA256
ca7045406eea1c211d571ea0c7c9b37e7ef76a6f818f70d219a9f71afa67b16b

SHA512
2e7643d4cc253cfd909292c9a760ca7cdfa9ee69fd215d2310631506413f620fe8eba3a3674839077f38aebd64afe8b94e56fee1ca7516ed4de67ae35be5b2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0910527.exe

Filesize
373KB

MD5
ca76ba3671d516e0a83beab435d17a11

SHA1
8b0a3de6d95a3c913e341a7bbda5b54909acd9ce

SHA256
edfbea7c9d3a49a98d0d5f7534113062456dcd94e3a2f340ebaed728df818a5a

SHA512
e6c0616bc5ff58e085e2590a0961db28d7a591325325de817552546ff9091049bebf141eb335102ad6e0af0c0bd87f2447eaec9f34b89a16531a016af4e99b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0910527.exe

Filesize
373KB

MD5
ca76ba3671d516e0a83beab435d17a11

SHA1
8b0a3de6d95a3c913e341a7bbda5b54909acd9ce

SHA256
edfbea7c9d3a49a98d0d5f7534113062456dcd94e3a2f340ebaed728df818a5a

SHA512
e6c0616bc5ff58e085e2590a0961db28d7a591325325de817552546ff9091049bebf141eb335102ad6e0af0c0bd87f2447eaec9f34b89a16531a016af4e99b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0421265.exe

Filesize
174KB

MD5
0cdc8b8518680d9fab5382b7fc4249ad

SHA1
95071641714c062a0ab429f4da9a1bc3233d88ed

SHA256
406b32e693a90798b06fc5e6d8c22dc444ae44031c6ade19e27b15ef80b0d29f

SHA512
c087230a76cc51e4635f359f081e1e5356e82563746c688a3ccec5f6e82bc28e395ca8ce95e3d459aef82683c8f9f754dd0e82c1fa5a7b9de5919e711bd214f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0421265.exe

Filesize
174KB

MD5
0cdc8b8518680d9fab5382b7fc4249ad

SHA1
95071641714c062a0ab429f4da9a1bc3233d88ed

SHA256
406b32e693a90798b06fc5e6d8c22dc444ae44031c6ade19e27b15ef80b0d29f

SHA512
c087230a76cc51e4635f359f081e1e5356e82563746c688a3ccec5f6e82bc28e395ca8ce95e3d459aef82683c8f9f754dd0e82c1fa5a7b9de5919e711bd214f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3789805.exe

Filesize
217KB

MD5
f61e564299136673cf153ccce8a772df

SHA1
d0cacf263013e8067087af8ce80be80e937e0f96

SHA256
25f2c953bb44f3b3834614a1bbb4ec1dcc913324a9346166fc1a8df74f0bd546

SHA512
5e56502b9712a5c18a71de91ec20e588b88c66ab4007a82cf0d008e9b69e89e9af3916895e79d09f85fe4fae78719ef36cb343da98fb14c0e7418deaa88cbd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3789805.exe

Filesize
217KB

MD5
f61e564299136673cf153ccce8a772df

SHA1
d0cacf263013e8067087af8ce80be80e937e0f96

SHA256
25f2c953bb44f3b3834614a1bbb4ec1dcc913324a9346166fc1a8df74f0bd546

SHA512
5e56502b9712a5c18a71de91ec20e588b88c66ab4007a82cf0d008e9b69e89e9af3916895e79d09f85fe4fae78719ef36cb343da98fb14c0e7418deaa88cbd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9744451.exe

Filesize
19KB

MD5
e16b822e11bcf7d840684a3963326135

SHA1
950155116956a7bfcac5c2f192b7adac3fef81e9

SHA256
70557034a24e2fb6afdfba6444e75632671928dd4cd48992a70307dae3f76794

SHA512
a266754bcede633225adb982f2fbf6f5444ea5b98847362601479a853b75db6ac13bf9e7c0a72672294f5dc1a471a8905a88b8b363194d09aacef90c3631cc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9744451.exe

Filesize
19KB

MD5
e16b822e11bcf7d840684a3963326135

SHA1
950155116956a7bfcac5c2f192b7adac3fef81e9

SHA256
70557034a24e2fb6afdfba6444e75632671928dd4cd48992a70307dae3f76794

SHA512
a266754bcede633225adb982f2fbf6f5444ea5b98847362601479a853b75db6ac13bf9e7c0a72672294f5dc1a471a8905a88b8b363194d09aacef90c3631cc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0790742.exe

Filesize
141KB

MD5
10a203010eadd20fa24eaee4510c5e74

SHA1
a5381add32b5dee18bf7ad0b58be1bd991dfca8a

SHA256
de790c0bc9e37034b6f48a31404d8316488cacacfa963f07583728c3b284c075

SHA512
e2a93c12bc8bd775c38902703f7f8adc9b61fbe12e15d4482ddae7b04e2b6b9b051127fdb2a827befb91207aab7c5398d46d349918646c2f75a0577e88648c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0790742.exe

Filesize
141KB

MD5
10a203010eadd20fa24eaee4510c5e74

SHA1
a5381add32b5dee18bf7ad0b58be1bd991dfca8a

SHA256
de790c0bc9e37034b6f48a31404d8316488cacacfa963f07583728c3b284c075

SHA512
e2a93c12bc8bd775c38902703f7f8adc9b61fbe12e15d4482ddae7b04e2b6b9b051127fdb2a827befb91207aab7c5398d46d349918646c2f75a0577e88648c49

Download Submit
memory/1988-46-0x0000000073010000-0x00000000736FE000-memory.dmp

Filesize
6.9MB

Download
memory/1988-45-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1988-47-0x00000000025F0000-0x00000000025F6000-memory.dmp

Filesize
24KB

Download
memory/1988-48-0x000000000A710000-0x000000000AD16000-memory.dmp

Filesize
6.0MB

Download
memory/1988-49-0x000000000A210000-0x000000000A31A000-memory.dmp

Filesize
1.0MB

Download
memory/1988-50-0x000000000A100000-0x000000000A112000-memory.dmp

Filesize
72KB

Download
memory/1988-51-0x000000000A160000-0x000000000A19E000-memory.dmp

Filesize
248KB

Download
memory/1988-52-0x000000000A1B0000-0x000000000A1FB000-memory.dmp

Filesize
300KB

Download
memory/1988-53-0x0000000073010000-0x00000000736FE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-38-0x00007FFADB330000-0x00007FFADBD1C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-36-0x00007FFADB330000-0x00007FFADBD1C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-35-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download