healer | 1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01-10-2023 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe
Size

748KB
MD5

e0721f4d8b53ab6399602e5d263be852
SHA1

c45154ff66a8d09ef3ddc206b0d52573999f34b1
SHA256

1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af
SHA512

08784fc40afeab62d1114ba32275396a3093cf9e53d602fe35bdc19d8975518c38edfd24f3f56065503436bc34d7dd931789ccdd516a8c5e4845bf88dea4f243
SSDEEP

12288:fMrZy90f1CkKoTyhDmykvPHpNJOuSLy7Az5kRCIwdnVjR+AHKUlJaoL8:iypWFTmj5kR5wVFRLHTaJ

Score

10^/10

healer redline gruha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q0622078.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q0622078.exe	healer
behavioral1/memory/1800-28-0x0000000000360000-0x000000000036A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q0622078.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q0622078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0622078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0622078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q0622078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0622078.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

z0239071.exez2464539.exez6715014.exeq0622078.exer2668372.exe

pid process

2224 z0239071.exe
1952 z2464539.exe
2448 z6715014.exe
1800 q0622078.exe
4712 r2668372.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

q0622078.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q0622078.exe

pid	process
2224	z0239071.exe
1952	z2464539.exe
2448	z6715014.exe
1800	q0622078.exe
4712	r2668372.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q0622078.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z0239071.exez2464539.exez6715014.exe1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0239071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2464539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6715014.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

r2668372.exe

description pid process target process

PID 4712 set thread context of 3792 4712 r2668372.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4284 4712 WerFault.exe r2668372.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q0622078.exe

pid process

1800 q0622078.exe
1800 q0622078.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q0622078.exe

description pid process

Token: SeDebugPrivilege 1800 q0622078.exe

description	pid	process	target process
PID 4712 set thread context of 3792	4712	r2668372.exe	AppLaunch.exe

pid	pid_target	process	target process
4284	4712	WerFault.exe	r2668372.exe

pid	process
1800	q0622078.exe
1800	q0622078.exe

description	pid	process
Token: SeDebugPrivilege	1800	q0622078.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exez0239071.exez2464539.exez6715014.exer2668372.exe

description	pid	process	target process
PID 4136 wrote to memory of 2224	4136	1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe	z0239071.exe
PID 4136 wrote to memory of 2224	4136	1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe	z0239071.exe
PID 4136 wrote to memory of 2224	4136	1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe	z0239071.exe
PID 2224 wrote to memory of 1952	2224	z0239071.exe	z2464539.exe
PID 2224 wrote to memory of 1952	2224	z0239071.exe	z2464539.exe
PID 2224 wrote to memory of 1952	2224	z0239071.exe	z2464539.exe
PID 1952 wrote to memory of 2448	1952	z2464539.exe	z6715014.exe
PID 1952 wrote to memory of 2448	1952	z2464539.exe	z6715014.exe
PID 1952 wrote to memory of 2448	1952	z2464539.exe	z6715014.exe
PID 2448 wrote to memory of 1800	2448	z6715014.exe	q0622078.exe
PID 2448 wrote to memory of 1800	2448	z6715014.exe	q0622078.exe
PID 2448 wrote to memory of 4712	2448	z6715014.exe	r2668372.exe
PID 2448 wrote to memory of 4712	2448	z6715014.exe	r2668372.exe
PID 2448 wrote to memory of 4712	2448	z6715014.exe	r2668372.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe
PID 4712 wrote to memory of 3792	4712	r2668372.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe
"C:\Users\Admin\AppData\Local\Temp\1529c0c966d05f2b7f66e71341a2d4117bb7461848059bd2d7aa1d479305c0af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239071.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239071.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464539.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464539.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6715014.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6715014.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q0622078.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q0622078.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2668372.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2668372.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 144
        6⤵
        Program crash
        
        PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239071.exe

Filesize
648KB

MD5
e7c3054c097196c1f3a72c8d36d1da48

SHA1
02dd4a56a47f6dceeb31516fb0d158f2896a63f8

SHA256
0c584195feeb8970ccffebf511b984b7927961971a00e930def8674590860da2

SHA512
9faace76be376a1fa2efa3d4357be180a43c759db5457b4d8900f51ff780e9e7dc69c8b45c62f1d6f9a6306a14262fd2b63cce481da83fedb7f3c625fdc3ca9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0239071.exe

Filesize
648KB

MD5
e7c3054c097196c1f3a72c8d36d1da48

SHA1
02dd4a56a47f6dceeb31516fb0d158f2896a63f8

SHA256
0c584195feeb8970ccffebf511b984b7927961971a00e930def8674590860da2

SHA512
9faace76be376a1fa2efa3d4357be180a43c759db5457b4d8900f51ff780e9e7dc69c8b45c62f1d6f9a6306a14262fd2b63cce481da83fedb7f3c625fdc3ca9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464539.exe

Filesize
465KB

MD5
86f9129fc583ad999c6fd862ad53b047

SHA1
2a08dbafa7dcdbad7685e972724cdc9ae4ea0d83

SHA256
3af6afb03892782bee76a16826794e089a2bf0e1031af7dc53f16d6f55e851e7

SHA512
b50c5ee19c999fb72408d0c6685eb11d1db1e897fcade432ac55e94f6f1a48a08290891a2a5a1c70c363800f8db4ecc645c4e2f32098d395f0cba918ce0acb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464539.exe

Filesize
465KB

MD5
86f9129fc583ad999c6fd862ad53b047

SHA1
2a08dbafa7dcdbad7685e972724cdc9ae4ea0d83

SHA256
3af6afb03892782bee76a16826794e089a2bf0e1031af7dc53f16d6f55e851e7

SHA512
b50c5ee19c999fb72408d0c6685eb11d1db1e897fcade432ac55e94f6f1a48a08290891a2a5a1c70c363800f8db4ecc645c4e2f32098d395f0cba918ce0acb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6715014.exe

Filesize
282KB

MD5
6929ec0ce880f96b359b024949773fc9

SHA1
7fb48a5d3ff02c14a882a44844120e2c01a65c3b

SHA256
4ebf3adb65df3a7db708c0356f359a826993437557f4c8c780410dc17e4a524c

SHA512
f12013b8005596ee56c255a70c1503f174c651378ca6488b675b41eb3e2fd32194d03588610df542148fb6282927f258cf765385c3314f43615890b925baa37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6715014.exe

Filesize
282KB

MD5
6929ec0ce880f96b359b024949773fc9

SHA1
7fb48a5d3ff02c14a882a44844120e2c01a65c3b

SHA256
4ebf3adb65df3a7db708c0356f359a826993437557f4c8c780410dc17e4a524c

SHA512
f12013b8005596ee56c255a70c1503f174c651378ca6488b675b41eb3e2fd32194d03588610df542148fb6282927f258cf765385c3314f43615890b925baa37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q0622078.exe

Filesize
11KB

MD5
a5569b37458871722ce0ff1f5e954903

SHA1
a5675df2a5c6056b17247679d2521f0a3304a46c

SHA256
e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f

SHA512
ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q0622078.exe

Filesize
11KB

MD5
a5569b37458871722ce0ff1f5e954903

SHA1
a5675df2a5c6056b17247679d2521f0a3304a46c

SHA256
e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f

SHA512
ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2668372.exe

Filesize
310KB

MD5
828227633c779572a6ed27d07440aa1b

SHA1
d03eddffc08fa26ecbfa08c3785131f1e46e22ca

SHA256
a02e134a7c93e5490b5b014149013563a1a3519d7c02430ff106c3d7324ee079

SHA512
3f4a0f192b796a9cc9183ca2327028a4c0cd107ed58763e0a3254a569b546c7b8242fcc266eb84a77e97834d5574c7cedf1d48885a0afb99a5992a1531c88f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2668372.exe

Filesize
310KB

MD5
828227633c779572a6ed27d07440aa1b

SHA1
d03eddffc08fa26ecbfa08c3785131f1e46e22ca

SHA256
a02e134a7c93e5490b5b014149013563a1a3519d7c02430ff106c3d7324ee079

SHA512
3f4a0f192b796a9cc9183ca2327028a4c0cd107ed58763e0a3254a569b546c7b8242fcc266eb84a77e97834d5574c7cedf1d48885a0afb99a5992a1531c88f62

Download Submit
memory/1800-31-0x00007FFA6A2B0000-0x00007FFA6AC9C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-29-0x00007FFA6A2B0000-0x00007FFA6AC9C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-28-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/3792-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3792-39-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3792-40-0x0000000006E20000-0x0000000006E26000-memory.dmp

Filesize
24KB

Download
memory/3792-41-0x000000000EE10000-0x000000000F416000-memory.dmp

Filesize
6.0MB

Download
memory/3792-42-0x000000000E9A0000-0x000000000EAAA000-memory.dmp

Filesize
1.0MB

Download
memory/3792-43-0x000000000E8D0000-0x000000000E8E2000-memory.dmp

Filesize
72KB

Download
memory/3792-44-0x000000000E930000-0x000000000E96E000-memory.dmp

Filesize
248KB

Download
memory/3792-45-0x000000000EAB0000-0x000000000EAFB000-memory.dmp

Filesize
300KB

Download
memory/3792-50-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download