healer | 7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb

Analysis

max time kernel
133s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe
Size

753KB
MD5

cd477aac77d7453206b9e984a4444fc3
SHA1

c798de0cf5623a3d7b4beb0e8fa98bb6f32e91b9
SHA256

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb
SHA512

a9ac3f52f11f0d4c439cbbcf99a864928b5fd4713bc867cc28d33655276e8c853310e7b4d28d99d64bab94377f199b35da24e68d11a0b260a099e1fb583764f8
SSDEEP

12288:qMrYy90EqcrEywjFwiKj1PC4/JTc557oUsiB3yPC/oVSnuFlx1GM7Hzj:eyUOiKFC4BTI57oUEkoVcWvnj

Score

10^/10

healer redline dusa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dusa

83.97.73.127:19045

Attributes

auth_value
ee896466545fedf9de5406175fb82de5

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/2640-33-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2640-39-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2640-40-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3012	y9143845.exe
2648	y5457738.exe
2808	k5231148.exe
2536	l3651390.exe

Loads dropped DLL 8 IoCs

pid	Process
1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe
3012	y9143845.exe
3012	y9143845.exe
2648	y5457738.exe
2648	y5457738.exe
2808	k5231148.exe
2648	y5457738.exe
2536	l3651390.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9143845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5457738.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2640	2808	k5231148.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2640	AppLaunch.exe
2640	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 1248 wrote to memory of 3012	1248	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe	28
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 3012 wrote to memory of 2648	3012	y9143845.exe	29
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2648 wrote to memory of 2808	2648	y5457738.exe	30
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2808 wrote to memory of 2640	2808	k5231148.exe	32
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33
PID 2648 wrote to memory of 2536	2648	y5457738.exe	33

C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe
"C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe

Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe

Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe

Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe

Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe

Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe

Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe

Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe

Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe

Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe

Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe

Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe

Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe

Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe

Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe

Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe

Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
memory/2536-47-0x0000000000E90000-0x0000000000EBE000-memory.dmp

Filesize
184KB

Download
memory/2536-48-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2640-40-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-39-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-31-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download