healer | e22a5cadeacc1a9d95354d85bdc17f6ab2dc5d23efe7df6d3d4683fb7b881a52

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
Size

389KB
MD5

1e6d0394a9335f03d83a7f498df12ec8
SHA1

aa25774159336873d0799b11546d7cec88ebca87
SHA256

16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86
SHA512

4bb7c4a3706e4056f6cc38e46dafab8e6bd463a148d5bc46197f7957f750d51c6d98903eeebe5b560283d1e15536bebad88c364e3776d5b804d99f36b8a17393
SSDEEP

6144:Kqy+bnr+gp0yN90QE+rBmAS9kW2PZNK9zG1evw+IsQnjCgK83sE6ZnRC7D4I/FWB:uMrIy90wsAS/kBQk6o7D4I6d

Score

10^/10

healer redline roma dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

roma

77.91.68.56:19071

Attributes

auth_value
f099c2cf92834dbc554a94e1456cf576

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe	healer
behavioral3/memory/4732-15-0x0000000000150000-0x000000000015A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

p9600155.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p9600155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p9600155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p9600155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p9600155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p9600155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p9600155.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe	family_redline
behavioral3/memory/3248-20-0x0000000000580000-0x00000000005B0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

z1368932.exep9600155.exer7637580.exe

pid process

2468 z1368932.exe
4732 p9600155.exe
3248 r7637580.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

p9600155.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p9600155.exe

pid	process
2468	z1368932.exe
4732	p9600155.exe
3248	r7637580.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p9600155.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exez1368932.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1368932.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

p9600155.exe

pid process

4732 p9600155.exe
4732 p9600155.exe
4732 p9600155.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

p9600155.exe

description pid process

Token: SeDebugPrivilege 4732 p9600155.exe

pid	process
4732	p9600155.exe
4732	p9600155.exe
4732	p9600155.exe

description	pid	process
Token: SeDebugPrivilege	4732	p9600155.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exez1368932.exe

description	pid	process	target process
PID 4868 wrote to memory of 2468	4868	16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe	z1368932.exe
PID 4868 wrote to memory of 2468	4868	16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe	z1368932.exe
PID 4868 wrote to memory of 2468	4868	16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe	z1368932.exe
PID 2468 wrote to memory of 4732	2468	z1368932.exe	p9600155.exe
PID 2468 wrote to memory of 4732	2468	z1368932.exe	p9600155.exe
PID 2468 wrote to memory of 3248	2468	z1368932.exe	r7637580.exe
PID 2468 wrote to memory of 3248	2468	z1368932.exe	r7637580.exe
PID 2468 wrote to memory of 3248	2468	z1368932.exe	r7637580.exe

C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
"C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
3⤵
- Executes dropped EXE
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
Filesize
206KB

MD5
f389811e3e6c0afdba444f02db669093

SHA1
2f67d8c13e1477415f6ef5408a2940c7739b21dc

SHA256
48da474cb540b3f33c0b78853f06ed9249618db3e5c4670d45b18a1a6180e0f2

SHA512
49c9acb85f437e75a43cb215e96fe13dc56f05595b27c57ecdb73516a5e53cfb21cb6a0faf38e32af69f72d1a4a358f08ad4e819e8944bf77ae9f46050e7787a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
Filesize
13KB

MD5
d3ed7b336677ab4edb046bcaadbf972f

SHA1
d8a6e54a5a4431f985a3157b93aaae0e04bb1325

SHA256
1109e4e67a017af633fad9733479bf067a924c950974c946c381958801a6d5bc

SHA512
6e2a47a5729043b9708f5a781159853b5b0f4c0a228309a7c427c5f4afcdff4f82f1f56e1f0a1defbcf15f5eb1ae4c8db22f84295c5ed3c8dbe3c82d8331cfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
Filesize
175KB

MD5
e4232b49c9b6f09e99407fd03ad1a93d

SHA1
c6ed2f7d1587e1970b0f566ad5e5ade07404d9ae

SHA256
462107d8de1bad294f86e326dea00e9a1f04b9045f2370e57fe4948ed3688802

SHA512
ec8c6cfbe8d15468a5797eb15263d69cd129aae064b44350b0f641906dd745011df5f56831badaa725fc77f37882b5144452f9f811d1fa00594984bbff6f75f6

Download Submit
memory/3248-20-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/3248-21-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/3248-22-0x000000000A9E0000-0x000000000AFF8000-memory.dmp

Filesize
6.1MB

Download
memory/3248-23-0x000000000A530000-0x000000000A63A000-memory.dmp

Filesize
1.0MB

Download
memory/3248-24-0x000000000A470000-0x000000000A482000-memory.dmp

Filesize
72KB

Download
memory/3248-25-0x000000000A4D0000-0x000000000A50C000-memory.dmp

Filesize
240KB

Download
memory/3248-26-0x0000000002720000-0x000000000276C000-memory.dmp

Filesize
304KB

Download
memory/4732-14-0x00007FFE9F703000-0x00007FFE9F705000-memory.dmp

Filesize
8KB

Download
memory/4732-15-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download