healer | 0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1

Analysis

max time kernel
198s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe
Size

1.2MB
MD5

52b8c6aca612750f0732e58b42e9db9e
SHA1

2acc3ab9792418c585a67a793db4dd10761e3d95
SHA256

0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1
SHA512

435c59ce6d85bba3c23820dbc85b5e91059b8f712c8c411889193f5d4a41a56e1685a23bd192fababd0e49f4f075dce5083b26a0e4b0dd917a26c5e6f9265809
SSDEEP

24576:4Zts6DyaTwqfK5ASnIwHnNwVza8gswrbVWNO0Q5055Nv/aSIjfhZ:4ZtsZqf8nIynYOYNO0BlvyNfhZ

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1692-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2452	x7786285.exe
2932	x8659941.exe
1444	x8135436.exe
4884	g8198833.exe
1660	h7301784.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8659941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8135436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7786285.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 4884 set thread context of 1692	4884	g8198833.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	AppLaunch.exe
1692	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 1596 wrote to memory of 2828	1596	0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe	92
PID 2828 wrote to memory of 2452	2828	AppLaunch.exe	94
PID 2828 wrote to memory of 2452	2828	AppLaunch.exe	94
PID 2828 wrote to memory of 2452	2828	AppLaunch.exe	94
PID 2452 wrote to memory of 2932	2452	x7786285.exe	95
PID 2452 wrote to memory of 2932	2452	x7786285.exe	95
PID 2452 wrote to memory of 2932	2452	x7786285.exe	95
PID 2932 wrote to memory of 1444	2932	x8659941.exe	96
PID 2932 wrote to memory of 1444	2932	x8659941.exe	96
PID 2932 wrote to memory of 1444	2932	x8659941.exe	96
PID 1444 wrote to memory of 4884	1444	x8135436.exe	97
PID 1444 wrote to memory of 4884	1444	x8135436.exe	97
PID 1444 wrote to memory of 4884	1444	x8135436.exe	97
PID 4884 wrote to memory of 1552	4884	g8198833.exe	99
PID 4884 wrote to memory of 1552	4884	g8198833.exe	99
PID 4884 wrote to memory of 1552	4884	g8198833.exe	99
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 4884 wrote to memory of 1692	4884	g8198833.exe	100
PID 1444 wrote to memory of 1660	1444	x8135436.exe	101
PID 1444 wrote to memory of 1660	1444	x8135436.exe	101
PID 1444 wrote to memory of 1660	1444	x8135436.exe	101

C:\Users\Admin\AppData\Local\Temp\0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe
"C:\Users\Admin\AppData\Local\Temp\0ccdaa4b3990bcf4745acfd0ef34da97e2a8734aaa88d6b9b6bbf6b7750630e1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7786285.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7786285.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8659941.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8659941.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8135436.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8135436.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8198833.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8198833.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7301784.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7301784.exe
        6⤵
        Executes dropped EXE
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7786285.exe

Filesize
749KB

MD5
6af0b8b5b3be09e6668ca7edead58997

SHA1
488850df992080df8321862d1cd1866cb3d398c1

SHA256
36981cefc40a0d63a9a7689ed978494b6ff9000588a32bfda2bda164d3f4707c

SHA512
23b3c393d62f0752cd303733df4f75bdcfa461d088c5e3a3b82ae6c1ece69ee7568a05e493cceb4256bf8659606393b4c82eef94991deaa5e7bc5f06fb406b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7786285.exe

Filesize
749KB

MD5
6af0b8b5b3be09e6668ca7edead58997

SHA1
488850df992080df8321862d1cd1866cb3d398c1

SHA256
36981cefc40a0d63a9a7689ed978494b6ff9000588a32bfda2bda164d3f4707c

SHA512
23b3c393d62f0752cd303733df4f75bdcfa461d088c5e3a3b82ae6c1ece69ee7568a05e493cceb4256bf8659606393b4c82eef94991deaa5e7bc5f06fb406b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8659941.exe

Filesize
483KB

MD5
69b4078357279b767b0a788cfc90c544

SHA1
2e2478aea41e06aed0c05532d568dede41942a51

SHA256
5e2d485e65a6a32538b0bffe31b8e716446b6366dcea2eb981488461ac57a02d

SHA512
79e585239324ad5e6c06c143a850b19c4064e5ee051fc15b029aec1bc801af8d41c39082242078f8c0346e80c0f4c939097ca1139de4824bdcc3a8521ede92c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8659941.exe

Filesize
483KB

MD5
69b4078357279b767b0a788cfc90c544

SHA1
2e2478aea41e06aed0c05532d568dede41942a51

SHA256
5e2d485e65a6a32538b0bffe31b8e716446b6366dcea2eb981488461ac57a02d

SHA512
79e585239324ad5e6c06c143a850b19c4064e5ee051fc15b029aec1bc801af8d41c39082242078f8c0346e80c0f4c939097ca1139de4824bdcc3a8521ede92c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8135436.exe

Filesize
317KB

MD5
03e727dc18a106596187d3008a02b146

SHA1
6a9eec8d34b4d9c03334e847e0a126569524fad9

SHA256
536d2e8263f607eff18128219398112a77cdc13f457340eafdf933783330c4fc

SHA512
06c5b66cf4b6922f45d5a7428059dd72c9486d1460e959ed13830031c97b1fb5f567737b9a7c14662a850c942ddc4b4695caa13d8dfa2f32556ec45ba8a05711

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8135436.exe

Filesize
317KB

MD5
03e727dc18a106596187d3008a02b146

SHA1
6a9eec8d34b4d9c03334e847e0a126569524fad9

SHA256
536d2e8263f607eff18128219398112a77cdc13f457340eafdf933783330c4fc

SHA512
06c5b66cf4b6922f45d5a7428059dd72c9486d1460e959ed13830031c97b1fb5f567737b9a7c14662a850c942ddc4b4695caa13d8dfa2f32556ec45ba8a05711

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8198833.exe

Filesize
230KB

MD5
c63090bdc37bfe255eb805ab845652ec

SHA1
f492a821e05d0d921b8e33a61f72c1df890a5a83

SHA256
27c051b55601bdc6960db9b1c2973de7158bf1d963dc83fb1e323a23048e0afe

SHA512
d9938e2741a36954460939b113034968cbb85b67831d861dd2ac4bed94ded9315294b88fa36c43de6b4f460a19ca8cd63b4597d10606124713fd9b8805304a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8198833.exe

Filesize
230KB

MD5
c63090bdc37bfe255eb805ab845652ec

SHA1
f492a821e05d0d921b8e33a61f72c1df890a5a83

SHA256
27c051b55601bdc6960db9b1c2973de7158bf1d963dc83fb1e323a23048e0afe

SHA512
d9938e2741a36954460939b113034968cbb85b67831d861dd2ac4bed94ded9315294b88fa36c43de6b4f460a19ca8cd63b4597d10606124713fd9b8805304a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7301784.exe

Filesize
174KB

MD5
705f1b446336274d519770e10de22825

SHA1
fe9f191ed2c7ca1fbff75c5486a722242e47ce2c

SHA256
1507dcde87e00d2ddcc8140b9b8253b703b9d6382d3c79a56a21641707ce24b6

SHA512
be7135eb2b7ad72e79049e395deb11c38e753bc268641c2adad83b5a662f9593692c2b7f5b34184853bfb26f0a77b8e5aae36479ad2a102d96e7999fd0cb7c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7301784.exe

Filesize
174KB

MD5
705f1b446336274d519770e10de22825

SHA1
fe9f191ed2c7ca1fbff75c5486a722242e47ce2c

SHA256
1507dcde87e00d2ddcc8140b9b8253b703b9d6382d3c79a56a21641707ce24b6

SHA512
be7135eb2b7ad72e79049e395deb11c38e753bc268641c2adad83b5a662f9593692c2b7f5b34184853bfb26f0a77b8e5aae36479ad2a102d96e7999fd0cb7c0a

Download Submit
memory/1660-46-0x00000000050E0000-0x00000000051EA000-memory.dmp

Filesize
1.0MB

Download
memory/1660-45-0x0000000005590000-0x0000000005BA8000-memory.dmp

Filesize
6.1MB

Download
memory/1660-39-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1660-50-0x00000000051F0000-0x000000000523C000-memory.dmp

Filesize
304KB

Download
memory/1660-40-0x0000000004D30000-0x0000000004D36000-memory.dmp

Filesize
24KB

Download
memory/1660-48-0x0000000005020000-0x0000000005032000-memory.dmp

Filesize
72KB

Download
memory/1660-37-0x0000000000550000-0x0000000000580000-memory.dmp

Filesize
192KB

Download
memory/1660-47-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1660-51-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1660-49-0x0000000005080000-0x00000000050BC000-memory.dmp

Filesize
240KB

Download
memory/1660-42-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-38-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-44-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-41-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2828-1-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2828-3-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2828-2-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2828-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2828-33-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download