healer | 7575b6a7ca1e6aeecfc397511f1b32b4a78d90e4766e4942510517290d09a617

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
Size

925KB
MD5

dd93ee60c259b6d6649066385f4244ee
SHA1

d07a767c2cc5a3f4e22536f80cd5403d48e79f31
SHA256

b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f
SHA512

77da63cbd5f5c49e42b7c8d31388ce5a5f310ab7435e9200ad94f74339d371dd8e4100c1de2700f908c44f849e293b4ae80d8354c03e9c20ab5057df4d2d126f
SSDEEP

24576:jyvRZtvqBOv+fxZ0j5MqJu/2vUx4SoSoG:2vXtCVxZ06qg/lX

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4364-28-0x0000000000570000-0x00000000005AE000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k4201526.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4201526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4201526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4201526.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4201526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4201526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4201526.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4644-36-0x0000000002040000-0x00000000020CC000-memory.dmp	family_redline
behavioral14/memory/4644-42-0x0000000002040000-0x00000000020CC000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y2482363.exey5282091.exek4201526.exel6091152.exe

pid process

2472 y2482363.exe
220 y5282091.exe
4364 k4201526.exe
4644 l6091152.exe

pid	process
2472	y2482363.exe
220	y5282091.exe
4364	k4201526.exe
4644	l6091152.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k4201526.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4201526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4201526.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exey2482363.exey5282091.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2482363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5282091.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k4201526.exe

pid process

4364 k4201526.exe
4364 k4201526.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k4201526.exe

description pid process

Token: SeDebugPrivilege 4364 k4201526.exe

pid	process
4364	k4201526.exe
4364	k4201526.exe

description	pid	process
Token: SeDebugPrivilege	4364	k4201526.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exey2482363.exey5282091.exe

description	pid	process	target process
PID 1216 wrote to memory of 2472	1216	b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe	y2482363.exe
PID 1216 wrote to memory of 2472	1216	b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe	y2482363.exe
PID 1216 wrote to memory of 2472	1216	b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe	y2482363.exe
PID 2472 wrote to memory of 220	2472	y2482363.exe	y5282091.exe
PID 2472 wrote to memory of 220	2472	y2482363.exe	y5282091.exe
PID 2472 wrote to memory of 220	2472	y2482363.exe	y5282091.exe
PID 220 wrote to memory of 4364	220	y5282091.exe	k4201526.exe
PID 220 wrote to memory of 4364	220	y5282091.exe	k4201526.exe
PID 220 wrote to memory of 4364	220	y5282091.exe	k4201526.exe
PID 220 wrote to memory of 4644	220	y5282091.exe	l6091152.exe
PID 220 wrote to memory of 4644	220	y5282091.exe	l6091152.exe
PID 220 wrote to memory of 4644	220	y5282091.exe	l6091152.exe

C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
"C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
      4⤵
      Executes dropped EXE
      PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe

Filesize
769KB

MD5
672bff291b38885617823399ef70b555

SHA1
4a7f60f83e53a7da12068d50e8e0a92c4633f187

SHA256
b536b905629c03cb86e63c1bf94b1cbf8a7a792df24d4904c4918e64d7c18fec

SHA512
167ecae7df2a247e326c6bb329953b19e41b2cff7e730e11a3f6fabf1aefb6c119f1cf2495388dec0961328c2e7b585b0b01b4ccc9ed32f6f206c56d08afb769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe

Filesize
585KB

MD5
b33a2914d46d878780b909b6f1c9e28a

SHA1
37365cb918168c76217112923047b8cb5fce24ff

SHA256
cd76d29e86c9061251c4db66dd62b6e9721e8f333e800e7b3e8dd3ab7f23384b

SHA512
1c42a950e9b4ad4c63d07b2da343cb273057337d379f38bbd7914de31b8a527b2c7b0bc9fe07a2096fd4726ca88a3c1df2e2e7a7d2a643b24f84aff32325ee49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe

Filesize
295KB

MD5
09eec7f364a56ec5491caf643ad17697

SHA1
6b1d0a4ca9ed4ced105e7eec6dfc2a7d3e65d415

SHA256
3c95a536651751d027c53005524d9d580917f52e4c0a0c30fac8f6fd55279cf3

SHA512
4f97ae75bdbac6f2c52c8189c31ee3b80c6991a15b017f0a5aac6feebe83c6505fefaf0d79c980f967bd5efec7c35961d30e50ddb19969a05be8aec5cdbbb1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe

Filesize
493KB

MD5
dc11c027caa1f3eca389e929921e4a1a

SHA1
7bc540dbfa7367f8c7e1761c4de6cb110aceda76

SHA256
cc338e14b24d1832ff2badca78ba12388cc65b05124b525e95080c969e805966

SHA512
b1153e9eecbf5bdae7093fc472f331f0c71aedeee8072fc54b9657986d42a5a653e88a8712fa9230bdf1bc516ff630e5c1c791ab41ed822b6592ff60103c5105

Download Submit
memory/4364-21-0x0000000000570000-0x00000000005AE000-memory.dmp

Filesize
248KB

Download
memory/4364-27-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4364-28-0x0000000000570000-0x00000000005AE000-memory.dmp

Filesize
248KB

Download
memory/4364-29-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4644-36-0x0000000002040000-0x00000000020CC000-memory.dmp

Filesize
560KB

Download
memory/4644-42-0x0000000002040000-0x00000000020CC000-memory.dmp

Filesize
560KB

Download
memory/4644-44-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/4644-45-0x0000000005E30000-0x0000000006448000-memory.dmp

Filesize
6.1MB

Download
memory/4644-46-0x0000000004A90000-0x0000000004B9A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-47-0x0000000006470000-0x0000000006482000-memory.dmp

Filesize
72KB

Download
memory/4644-48-0x0000000006490000-0x00000000064CC000-memory.dmp

Filesize
240KB

Download
memory/4644-49-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download