healer | 7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb

Analysis

max time kernel
134s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
Size

753KB
MD5

cd477aac77d7453206b9e984a4444fc3
SHA1

c798de0cf5623a3d7b4beb0e8fa98bb6f32e91b9
SHA256

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb
SHA512

a9ac3f52f11f0d4c439cbbcf99a864928b5fd4713bc867cc28d33655276e8c853310e7b4d28d99d64bab94377f199b35da24e68d11a0b260a099e1fb583764f8
SSDEEP

12288:qMrYy90EqcrEywjFwiKj1PC4/JTc557oUsiB3yPC/oVSnuFlx1GM7Hzj:eyUOiKFC4BTI57oUEkoVcWvnj

Score

10^/10

healer redline dusa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dusa

83.97.73.127:19045

Attributes

auth_value
ee896466545fedf9de5406175fb82de5

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2660-32-0x0000000000090000-0x000000000009A000-memory.dmp	healer
behavioral1/memory/2660-38-0x0000000000090000-0x000000000009A000-memory.dmp	healer
behavioral1/memory/2660-39-0x0000000000090000-0x000000000009A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

y9143845.exey5457738.exek5231148.exel3651390.exe

pid process

2028 y9143845.exe
3012 y5457738.exe
2728 k5231148.exe
2748 l3651390.exe

pid	process
2028	y9143845.exe
3012	y5457738.exe
2728	k5231148.exe
2748	l3651390.exe

Loads dropped DLL 8 IoCs

Processes:

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exey9143845.exey5457738.exek5231148.exel3651390.exe

pid	process
1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
2028	y9143845.exe
2028	y9143845.exe
3012	y5457738.exe
3012	y5457738.exe
2728	k5231148.exe
3012	y5457738.exe
2748	l3651390.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exey9143845.exey5457738.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9143845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5457738.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

k5231148.exe

description pid process target process

PID 2728 set thread context of 2660 2728 k5231148.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2660 AppLaunch.exe
2660 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2660 AppLaunch.exe

description	pid	process	target process
PID 2728 set thread context of 2660	2728	k5231148.exe	AppLaunch.exe

pid	process
2660	AppLaunch.exe
2660	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2660	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exey9143845.exey5457738.exek5231148.exe

description	pid	process	target process
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 1964 wrote to memory of 2028	1964	7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe	y9143845.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 2028 wrote to memory of 3012	2028	y9143845.exe	y5457738.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 3012 wrote to memory of 2728	3012	y5457738.exe	k5231148.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 2728 wrote to memory of 2660	2728	k5231148.exe	AppLaunch.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe
PID 3012 wrote to memory of 2748	3012	y5457738.exe	l3651390.exe

C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe
Filesize
454KB

MD5
6a89839bef7babff13f0294d47999d4d

SHA1
2440d22d80ac9182bf20a23b7c941d26ef230bec

SHA256
3736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc

SHA512
72228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe
Filesize
282KB

MD5
a037743c2a6055e38a8c91b96a57d545

SHA1
6257e2ffd34798f5f8d1a3432723dd014d0fe76f

SHA256
9c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27

SHA512
b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe
Filesize
169KB

MD5
57c4bc75f678ff9e333d9554e447766b

SHA1
567b479ab59a67fff64ea7be793c55ade1b08137

SHA256
e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705

SHA512
005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe
Filesize
168KB

MD5
08ff3d597c112cef0dacdf77e020d580

SHA1
693de4609e08f7626d05c78b848abefa2e83a0df

SHA256
c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429

SHA512
418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415

Download Submit
memory/2660-31-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2660-39-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2660-38-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2660-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-32-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2748-46-0x00000000001B0000-0x00000000001DE000-memory.dmp

Filesize
184KB

Download
memory/2748-47-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download