healer | dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd

Analysis

max time kernel
175s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe
Size

1.2MB
MD5

1040f71460bf21ae11509d672bc00466
SHA1

2b767506a77d801f68f18cb5f7f64293becc72d3
SHA256

dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd
SHA512

f432cdaff9b7a57687c08fe1901d0a48675b9dfb916a8093390b2c48e7985272d8c3a708dca4068c8c80b41a7a58c47f995501ea37ab63fe4b2756ff6ec7fa60
SSDEEP

24576:l74crodWKnrkoOYtZaKYjyYhJzjXpUl+55HL4lnlIh6OnEFKcsyXgY4bRqCyG:54crodcoOZzzjXOl+f4kh6IEoyIbRGG

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4416-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4596	x9766055.exe
4948	x5922132.exe
2696	x7394315.exe
3432	g7711021.exe
4336	h6921083.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9766055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5922132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7394315.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 224 set thread context of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 3432 set thread context of 4416	3432	g7711021.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4416	AppLaunch.exe
4416	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 224 wrote to memory of 4332	224	dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe	94
PID 4332 wrote to memory of 4596	4332	AppLaunch.exe	95
PID 4332 wrote to memory of 4596	4332	AppLaunch.exe	95
PID 4332 wrote to memory of 4596	4332	AppLaunch.exe	95
PID 4596 wrote to memory of 4948	4596	x9766055.exe	96
PID 4596 wrote to memory of 4948	4596	x9766055.exe	96
PID 4596 wrote to memory of 4948	4596	x9766055.exe	96
PID 4948 wrote to memory of 2696	4948	x5922132.exe	97
PID 4948 wrote to memory of 2696	4948	x5922132.exe	97
PID 4948 wrote to memory of 2696	4948	x5922132.exe	97
PID 2696 wrote to memory of 3432	2696	x7394315.exe	99
PID 2696 wrote to memory of 3432	2696	x7394315.exe	99
PID 2696 wrote to memory of 3432	2696	x7394315.exe	99
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 3432 wrote to memory of 4416	3432	g7711021.exe	101
PID 2696 wrote to memory of 4336	2696	x7394315.exe	102
PID 2696 wrote to memory of 4336	2696	x7394315.exe	102
PID 2696 wrote to memory of 4336	2696	x7394315.exe	102

C:\Users\Admin\AppData\Local\Temp\dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe
"C:\Users\Admin\AppData\Local\Temp\dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9766055.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9766055.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5922132.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5922132.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7394315.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7394315.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7711021.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7711021.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6921083.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6921083.exe
        6⤵
        Executes dropped EXE
        
        PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9766055.exe

Filesize
745KB

MD5
eec9493ff80cdd64bd1f495a20d39186

SHA1
6c964c61f43d65b41af384de30a12bad593db5cc

SHA256
b4168d38cb191f89d28916d4c70e7a9ed76c40783d3f303a3b06c77e7ee3fd99

SHA512
664acf28155a5e18c309d09c1de3ab456b205eef3fa1572387ee0c76c0dd8b55ee27df771ed1e20cd4c6ca86d47744965693c86d4781d7fbdaa4c8fa91d68b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9766055.exe

Filesize
745KB

MD5
eec9493ff80cdd64bd1f495a20d39186

SHA1
6c964c61f43d65b41af384de30a12bad593db5cc

SHA256
b4168d38cb191f89d28916d4c70e7a9ed76c40783d3f303a3b06c77e7ee3fd99

SHA512
664acf28155a5e18c309d09c1de3ab456b205eef3fa1572387ee0c76c0dd8b55ee27df771ed1e20cd4c6ca86d47744965693c86d4781d7fbdaa4c8fa91d68b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5922132.exe

Filesize
480KB

MD5
f60214e4b9715b5b76aa37ef6043a495

SHA1
a657be2684aba93b17b8ddd52f0fa484976b147e

SHA256
4a6a6ce61c7bc9aa2076da8ad23bec6e6314be9044a2e31fef27d367a3ec03f3

SHA512
e10f4701f444fa084d3fc35ead5ebe0df9a58c29df1174627eb5927c34f677807e45130c7dd25c6977bcd492611c959111ab0624d83f1bf5f6de3695aa86071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5922132.exe

Filesize
480KB

MD5
f60214e4b9715b5b76aa37ef6043a495

SHA1
a657be2684aba93b17b8ddd52f0fa484976b147e

SHA256
4a6a6ce61c7bc9aa2076da8ad23bec6e6314be9044a2e31fef27d367a3ec03f3

SHA512
e10f4701f444fa084d3fc35ead5ebe0df9a58c29df1174627eb5927c34f677807e45130c7dd25c6977bcd492611c959111ab0624d83f1bf5f6de3695aa86071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7394315.exe

Filesize
314KB

MD5
2339f1fe167146ab8fab67de9cbae202

SHA1
e08b9e8bdc9176ab87dcb94837a5dcc8acdb4e24

SHA256
c3cf1f80ecb2cc879097fdfaf0cbe485951ee1f833a56e778010ac47193ba6eb

SHA512
41dc14e7b23d4b89c08ee7195a1da5dd4fae68e32a8093639eed8c6b45d53be97e74c0a90199033cb74c1a5f4f4dff19dfd1cfe4a61a58c989bd876b2378742a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7394315.exe

Filesize
314KB

MD5
2339f1fe167146ab8fab67de9cbae202

SHA1
e08b9e8bdc9176ab87dcb94837a5dcc8acdb4e24

SHA256
c3cf1f80ecb2cc879097fdfaf0cbe485951ee1f833a56e778010ac47193ba6eb

SHA512
41dc14e7b23d4b89c08ee7195a1da5dd4fae68e32a8093639eed8c6b45d53be97e74c0a90199033cb74c1a5f4f4dff19dfd1cfe4a61a58c989bd876b2378742a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7711021.exe

Filesize
229KB

MD5
00982fc34e0c3c4d0348d0906102fa4c

SHA1
8a978f6504faddfd08add57576b165c215cc056a

SHA256
0da1bc1a4575667a9d8239ac40b169b51df4ebc0caf47cb650d379726d83f599

SHA512
cacf2102cddfbe07f1554e739e859e88486869d4080e1c92084346bebb6398718b9a0669d9fa58d637b700889f1dd7712721370642ccd8002d1117c34e538fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7711021.exe

Filesize
229KB

MD5
00982fc34e0c3c4d0348d0906102fa4c

SHA1
8a978f6504faddfd08add57576b165c215cc056a

SHA256
0da1bc1a4575667a9d8239ac40b169b51df4ebc0caf47cb650d379726d83f599

SHA512
cacf2102cddfbe07f1554e739e859e88486869d4080e1c92084346bebb6398718b9a0669d9fa58d637b700889f1dd7712721370642ccd8002d1117c34e538fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6921083.exe

Filesize
174KB

MD5
f519c334f2041b420d6f4219e84fea3b

SHA1
1214e85845de23469acd11dd12b1a647c7933eb2

SHA256
7e045fc1756c3e841bb6d55986cd7536d4ec141c1f82d25a89b3ace86b6e4d84

SHA512
87891f6389ede9edf9ace44f5e6a314019126f27f5a3b9b04685e0504736cf0a55d45509c2107709bf0c00c5a36187e24fd8cc71a1de23556de852df857fa77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6921083.exe

Filesize
174KB

MD5
f519c334f2041b420d6f4219e84fea3b

SHA1
1214e85845de23469acd11dd12b1a647c7933eb2

SHA256
7e045fc1756c3e841bb6d55986cd7536d4ec141c1f82d25a89b3ace86b6e4d84

SHA512
87891f6389ede9edf9ace44f5e6a314019126f27f5a3b9b04685e0504736cf0a55d45509c2107709bf0c00c5a36187e24fd8cc71a1de23556de852df857fa77a

Download Submit
memory/4332-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4332-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4332-46-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4332-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4332-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4336-36-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/4336-42-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4336-38-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/4336-51-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4336-40-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/4336-41-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download
memory/4336-43-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4336-37-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-44-0x0000000005240000-0x000000000527C000-memory.dmp

Filesize
240KB

Download
memory/4336-45-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download
memory/4336-47-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/4416-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4416-48-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/4416-50-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/4416-39-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download