healer | 2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe
Size

829KB
MD5

d86336b7ee0ef9b59c2882c30c948df1
SHA1

172b3b44ce68a05d5591bf0230a95e74c15062af
SHA256

2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305
SHA512

7c577d1cd5c549baf9553bcddab5f3c07624735a02303a9d6a414131e4e97839b9726501dbbadd26d79dfd01b7fc7114039afb56aa0ec51c6b728a6f8b2f0a7f
SSDEEP

12288:lMrby90yeLXK0ZLOJmogUxOKDHW4QsCZ7KCmMDrx9jcVt12JXTFmD3jQ0dZ0OaZd:+y8L/O55Qsf+X30UJXTQD3jQ0v34d

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002326c-33.dat	healer
behavioral2/files/0x000700000002326c-34.dat	healer
behavioral2/memory/4796-35-0x00000000005D0000-0x00000000005DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6778844.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6778844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6778844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6778844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6778844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6778844.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5056	v4128350.exe
3896	v6612405.exe
2808	v4096299.exe
4856	v0027778.exe
4796	a6778844.exe
388	b2174158.exe
3404	c6853029.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6778844.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4128350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6612405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4096299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0027778.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4796	a6778844.exe
4796	a6778844.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	a6778844.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 5056	3108	JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe	85
PID 3108 wrote to memory of 5056	3108	JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe	85
PID 3108 wrote to memory of 5056	3108	JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe	85
PID 5056 wrote to memory of 3896	5056	v4128350.exe	86
PID 5056 wrote to memory of 3896	5056	v4128350.exe	86
PID 5056 wrote to memory of 3896	5056	v4128350.exe	86
PID 3896 wrote to memory of 2808	3896	v6612405.exe	87
PID 3896 wrote to memory of 2808	3896	v6612405.exe	87
PID 3896 wrote to memory of 2808	3896	v6612405.exe	87
PID 2808 wrote to memory of 4856	2808	v4096299.exe	88
PID 2808 wrote to memory of 4856	2808	v4096299.exe	88
PID 2808 wrote to memory of 4856	2808	v4096299.exe	88
PID 4856 wrote to memory of 4796	4856	v0027778.exe	89
PID 4856 wrote to memory of 4796	4856	v0027778.exe	89
PID 4856 wrote to memory of 388	4856	v0027778.exe	92
PID 4856 wrote to memory of 388	4856	v0027778.exe	92
PID 4856 wrote to memory of 388	4856	v0027778.exe	92
PID 2808 wrote to memory of 3404	2808	v4096299.exe	93
PID 2808 wrote to memory of 3404	2808	v4096299.exe	93
PID 2808 wrote to memory of 3404	2808	v4096299.exe	93

C:\Users\Admin\AppData\Local\Temp\JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe
"C:\Users\Admin\AppData\Local\Temp\JC_2676ca708434b145e84d0e9b16c8e30faa706f5eea9802c4cec9727fb5c6c305.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4128350.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4128350.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6612405.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6612405.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4096299.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4096299.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0027778.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0027778.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6778844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6778844.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2174158.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2174158.exe
        6⤵
        Executes dropped EXE
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6853029.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6853029.exe
        5⤵
        Executes dropped EXE
        
        PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4128350.exe

Filesize
723KB

MD5
bf1533c36915530b9036f4bcb5e2b279

SHA1
531450492749584bfed8c3627ec8daace6ff0ac9

SHA256
161c4efc0fc084f86a9a4c7a3b8fcb046ec72ce6ff77329266eca59bfb6b95b6

SHA512
62d0cbb1b2476b815c0fac859f623a115b3fdfa315fb1c43a28828a5b246a70a9932834a1843ce6308c20fa8f5e20591e77ad9addc7ca8b8105fce552c5e7625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4128350.exe

Filesize
723KB

MD5
bf1533c36915530b9036f4bcb5e2b279

SHA1
531450492749584bfed8c3627ec8daace6ff0ac9

SHA256
161c4efc0fc084f86a9a4c7a3b8fcb046ec72ce6ff77329266eca59bfb6b95b6

SHA512
62d0cbb1b2476b815c0fac859f623a115b3fdfa315fb1c43a28828a5b246a70a9932834a1843ce6308c20fa8f5e20591e77ad9addc7ca8b8105fce552c5e7625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6612405.exe

Filesize
497KB

MD5
03b4dfa2dfd8dff835cb40579152911a

SHA1
e865b13737a7aff83ff00a2733e66b96de8eb244

SHA256
4daf6f6f9c2d3bbba696e084e38e65bc13459d68143fb422d4798ef2e0c9b541

SHA512
c5b555de069f4cc766ec63a0ef4e088e5fdbc3936c251d3b7245803fe1ff575de07acd038e02b9f8ba687466ef082b4cd339fa520427f2a5950b2564ec07da09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6612405.exe

Filesize
497KB

MD5
03b4dfa2dfd8dff835cb40579152911a

SHA1
e865b13737a7aff83ff00a2733e66b96de8eb244

SHA256
4daf6f6f9c2d3bbba696e084e38e65bc13459d68143fb422d4798ef2e0c9b541

SHA512
c5b555de069f4cc766ec63a0ef4e088e5fdbc3936c251d3b7245803fe1ff575de07acd038e02b9f8ba687466ef082b4cd339fa520427f2a5950b2564ec07da09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4096299.exe

Filesize
372KB

MD5
9a647182b94802afc6d00a4b14dad6d5

SHA1
b56c87d992efd18d2eccbc0f0f095745f08fa231

SHA256
349a845f95b6a94004d70e1d49a1d55cf50fdfb53c1db6b3dd8efdc89a6f9cf9

SHA512
46bb5d142bb4c93c3ec3f41a755e3d744f6df8d6a7b84a228d23e3c30919affdc8cf4730aff4c00b1563b4937a25a8dc6772a6bda33c218043cf119f856a30f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4096299.exe

Filesize
372KB

MD5
9a647182b94802afc6d00a4b14dad6d5

SHA1
b56c87d992efd18d2eccbc0f0f095745f08fa231

SHA256
349a845f95b6a94004d70e1d49a1d55cf50fdfb53c1db6b3dd8efdc89a6f9cf9

SHA512
46bb5d142bb4c93c3ec3f41a755e3d744f6df8d6a7b84a228d23e3c30919affdc8cf4730aff4c00b1563b4937a25a8dc6772a6bda33c218043cf119f856a30f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6853029.exe

Filesize
174KB

MD5
9198914322155d33bc84232970d8317f

SHA1
b402a7a04defe3ec650e958d3104af38077f7e29

SHA256
04b1be4fa503a0aba0ae14f705eb45c1e98f368d9490c27bb3bef96f5d9788b4

SHA512
d89f2a909aa4e0ed4df18d719b4741c7127a4383f0f3fcd15b1057b5041ce867feb90af7e0b676fd397f7127caf19da2475a9353d468ee45693aa0607c23b8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6853029.exe

Filesize
174KB

MD5
9198914322155d33bc84232970d8317f

SHA1
b402a7a04defe3ec650e958d3104af38077f7e29

SHA256
04b1be4fa503a0aba0ae14f705eb45c1e98f368d9490c27bb3bef96f5d9788b4

SHA512
d89f2a909aa4e0ed4df18d719b4741c7127a4383f0f3fcd15b1057b5041ce867feb90af7e0b676fd397f7127caf19da2475a9353d468ee45693aa0607c23b8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0027778.exe

Filesize
217KB

MD5
d5a417fd126093d1a6e22ac926893c29

SHA1
82ad6db707e410d507ea8c722d99f16ee232ee3d

SHA256
8ab8fee0e4a736f0bb7ce1af8436ae14988528a0ba3332040bd8968a06ae9398

SHA512
87423ddaf6881b9e9f6832c75d468ae45218cc9d0f61da4db6239447177e1792840d09fb88b1ade681666e4f956171ed6cdf83b26800afba622a4da3a6ceb0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0027778.exe

Filesize
217KB

MD5
d5a417fd126093d1a6e22ac926893c29

SHA1
82ad6db707e410d507ea8c722d99f16ee232ee3d

SHA256
8ab8fee0e4a736f0bb7ce1af8436ae14988528a0ba3332040bd8968a06ae9398

SHA512
87423ddaf6881b9e9f6832c75d468ae45218cc9d0f61da4db6239447177e1792840d09fb88b1ade681666e4f956171ed6cdf83b26800afba622a4da3a6ceb0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6778844.exe

Filesize
19KB

MD5
960a47b85bfc826a48704f1c74c89fd8

SHA1
a298a25f60b8752075bb97a60efbd851de540284

SHA256
8555688d8807506bf3ca7931a913be7d16ebfaa5a46ef2ae99e443e3eb825660

SHA512
8577ab4508b113ba5bd6921288145ea5b96ffa9ff63cb2898d1cde31cd235b6e6b3e7ea7d1f57850508412f0dc6fcb974dbc3f3a3df477c9001909945b4005c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6778844.exe

Filesize
19KB

MD5
960a47b85bfc826a48704f1c74c89fd8

SHA1
a298a25f60b8752075bb97a60efbd851de540284

SHA256
8555688d8807506bf3ca7931a913be7d16ebfaa5a46ef2ae99e443e3eb825660

SHA512
8577ab4508b113ba5bd6921288145ea5b96ffa9ff63cb2898d1cde31cd235b6e6b3e7ea7d1f57850508412f0dc6fcb974dbc3f3a3df477c9001909945b4005c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2174158.exe

Filesize
140KB

MD5
8e91d830903d06863371d8c8701b3f27

SHA1
0121ae30d8855e8cb565075990e2b0bcdf1b5445

SHA256
1434b8d9b9636797b5a4c9eb288bbaa7322170880a1aee44fad36d40e6c6b809

SHA512
2ec9fdd1bd32149cfb714dfdaa4a60966e3b55ee0ab6954deabb910d8c6bdadf042088a7cd25077658016c460defe005a446ebf6cb06308c80294e852e9628bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2174158.exe

Filesize
140KB

MD5
8e91d830903d06863371d8c8701b3f27

SHA1
0121ae30d8855e8cb565075990e2b0bcdf1b5445

SHA256
1434b8d9b9636797b5a4c9eb288bbaa7322170880a1aee44fad36d40e6c6b809

SHA512
2ec9fdd1bd32149cfb714dfdaa4a60966e3b55ee0ab6954deabb910d8c6bdadf042088a7cd25077658016c460defe005a446ebf6cb06308c80294e852e9628bf

Download Submit
memory/3404-46-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-45-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/3404-47-0x000000000AA90000-0x000000000B0A8000-memory.dmp

Filesize
6.1MB

Download
memory/3404-48-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/3404-49-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3404-50-0x000000000A520000-0x000000000A532000-memory.dmp

Filesize
72KB

Download
memory/3404-51-0x000000000A580000-0x000000000A5BC000-memory.dmp

Filesize
240KB

Download
memory/3404-52-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-53-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/4796-38-0x00007FFB09BA0000-0x00007FFB0A661000-memory.dmp

Filesize
10.8MB

Download
memory/4796-36-0x00007FFB09BA0000-0x00007FFB0A661000-memory.dmp

Filesize
10.8MB

Download
memory/4796-35-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download