healer | d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe
Size

3.1MB
MD5

a2025e7e3aafc5626ff6f6006e55ff1a
SHA1

46a2e3ba3c5ac7cf8b487bff576ce89f999d731c
SHA256

d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62
SHA512

58f31b27711bf02d6b8f22a8322c18944194bd3cb3a9a9d584e5c6318a20648fb6e77bbe374f9993f53acfebec21531a6363652288682a797d734dfa3cf94de6
SSDEEP

49152:DNiDVNnhrihRC8cs6a3vTWpJZSgvZUq2bS720DnT3u0iG6oOlGn4X/:DNDhksWpJAgCB+720Xu0X6op4X

Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4296-26-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1216	x7151392.exe
4408	x4344012.exe
3784	g8058190.exe
2884	i3269275.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7151392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4344012.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 592 set thread context of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 3784 set thread context of 4296	3784	g8058190.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4296	AppLaunch.exe
4296	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 592 wrote to memory of 4108	592	d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe	94
PID 4108 wrote to memory of 1216	4108	AppLaunch.exe	95
PID 4108 wrote to memory of 1216	4108	AppLaunch.exe	95
PID 4108 wrote to memory of 1216	4108	AppLaunch.exe	95
PID 1216 wrote to memory of 4408	1216	x7151392.exe	97
PID 1216 wrote to memory of 4408	1216	x7151392.exe	97
PID 1216 wrote to memory of 4408	1216	x7151392.exe	97
PID 4408 wrote to memory of 3784	4408	x4344012.exe	98
PID 4408 wrote to memory of 3784	4408	x4344012.exe	98
PID 4408 wrote to memory of 3784	4408	x4344012.exe	98
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 3784 wrote to memory of 4296	3784	g8058190.exe	100
PID 4408 wrote to memory of 2884	4408	x4344012.exe	101
PID 4408 wrote to memory of 2884	4408	x4344012.exe	101
PID 4408 wrote to memory of 2884	4408	x4344012.exe	101

C:\Users\Admin\AppData\Local\Temp\d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe
"C:\Users\Admin\AppData\Local\Temp\d9912f8e4fe99e13c9d579d3db102dc3a0a1a2cf0b3b34dbcb47baee488b6a62.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7151392.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7151392.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4344012.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4344012.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8058190.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8058190.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3784
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3269275.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3269275.exe
        5⤵
        Executes dropped EXE
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7151392.exe

Filesize
731KB

MD5
13a6d6e194671a1f584939bc31e7a876

SHA1
fa83438a19e348fe24685e9c336e557b9dbcf55a

SHA256
013c287f088dedc0d4b9dc1b000af9785bbccdf9d90a5a2db479c847ef1e3eab

SHA512
28be923eeedd11d7286448b55235a1a510278d690c8cf49df1d691bf6148bcf858d1aa0b2c1b68e0ccad7cb5a096ff17a46aa091fd150df8d4a1b34142a6b9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7151392.exe

Filesize
731KB

MD5
13a6d6e194671a1f584939bc31e7a876

SHA1
fa83438a19e348fe24685e9c336e557b9dbcf55a

SHA256
013c287f088dedc0d4b9dc1b000af9785bbccdf9d90a5a2db479c847ef1e3eab

SHA512
28be923eeedd11d7286448b55235a1a510278d690c8cf49df1d691bf6148bcf858d1aa0b2c1b68e0ccad7cb5a096ff17a46aa091fd150df8d4a1b34142a6b9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4344012.exe

Filesize
565KB

MD5
93c373cfdcbdde6ad3f53d6b14978438

SHA1
4c8c78fb38c7f4dcec49bb88665cd1e4b63953c4

SHA256
4e3ba544182b8177e1ece4c62bb17b75aa823ed4dc911e9b3dbccfc9e8c62296

SHA512
99fdc338aec8f8cafb341da2278cf746d402511cfd152f026b0031851aeed6693743f0d293f6d01d402a113406821aa25bbd2b4c782caa95b9846d4d57bc9ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4344012.exe

Filesize
565KB

MD5
93c373cfdcbdde6ad3f53d6b14978438

SHA1
4c8c78fb38c7f4dcec49bb88665cd1e4b63953c4

SHA256
4e3ba544182b8177e1ece4c62bb17b75aa823ed4dc911e9b3dbccfc9e8c62296

SHA512
99fdc338aec8f8cafb341da2278cf746d402511cfd152f026b0031851aeed6693743f0d293f6d01d402a113406821aa25bbd2b4c782caa95b9846d4d57bc9ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8058190.exe

Filesize
1.6MB

MD5
5d97fda027ffe88eed21b12d146be0db

SHA1
763d0dba37462dcb98e65fbce33df4e98f623c0e

SHA256
52df3ad4b0bf91d266394f1941d639c3d1813f11ef110aa4d31450adb2890aa8

SHA512
effb3c71145eb1680cea64e7aa350dff596e0a0e446a1ef45fd8a2719d3a65f00dcd065eb421d73e4d231ed34921c6fc109a55684e2518ac4eab7f6d9698135e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8058190.exe

Filesize
1.6MB

MD5
5d97fda027ffe88eed21b12d146be0db

SHA1
763d0dba37462dcb98e65fbce33df4e98f623c0e

SHA256
52df3ad4b0bf91d266394f1941d639c3d1813f11ef110aa4d31450adb2890aa8

SHA512
effb3c71145eb1680cea64e7aa350dff596e0a0e446a1ef45fd8a2719d3a65f00dcd065eb421d73e4d231ed34921c6fc109a55684e2518ac4eab7f6d9698135e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3269275.exe

Filesize
174KB

MD5
6ee4d4697a97b31a47bc50a1b73cac05

SHA1
1ce5cc480ac3281a4ea25ba9cdf2be4639baaddf

SHA256
6e07451dc3ee70f7a79e31544f590c2191e95ea06654acfdb1efc5fbb8cdbe1b

SHA512
a405ac1982023c2872266cf04110f904fc9becdaeb2477fd3e4fd31d739a91b549397df63b26ea4158068f844a61bbf18c853bd555a351fd437dbf3940cdcea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3269275.exe

Filesize
174KB

MD5
6ee4d4697a97b31a47bc50a1b73cac05

SHA1
1ce5cc480ac3281a4ea25ba9cdf2be4639baaddf

SHA256
6e07451dc3ee70f7a79e31544f590c2191e95ea06654acfdb1efc5fbb8cdbe1b

SHA512
a405ac1982023c2872266cf04110f904fc9becdaeb2477fd3e4fd31d739a91b549397df63b26ea4158068f844a61bbf18c853bd555a351fd437dbf3940cdcea7

Download Submit
memory/2884-30-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/2884-35-0x0000000005040000-0x000000000514A000-memory.dmp

Filesize
1.0MB

Download
memory/2884-44-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2884-40-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2884-39-0x0000000004FF0000-0x000000000503C000-memory.dmp

Filesize
304KB

Download
memory/2884-38-0x0000000004FB0000-0x0000000004FEC000-memory.dmp

Filesize
240KB

Download
memory/2884-37-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2884-31-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2884-32-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/2884-36-0x0000000004F50000-0x0000000004F62000-memory.dmp

Filesize
72KB

Download
memory/2884-34-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/4108-1-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4108-0-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4108-8-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4108-2-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4108-3-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4296-33-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4296-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4296-41-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4296-43-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download