healer | 2685b451d5bc5d1cd7c159a87efdfacd5a60c314491404e6e60e752ba3db90cf

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe
Size

479KB
MD5

c08646927da5c5d8a10d00dc194d535c
SHA1

b5ebe052683cece0e76c3bc4b6ed3ea69135fd6d
SHA256

22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334
SHA512

4adfcf01a79d1c51f2d59ee76e8f123b7b978aca5e9d6b25806a06c69c1fd35c929c95b9031f060b9bda894bb251d8d028a7d0f7cce56e2f9a8a1d126091e5db
SSDEEP

12288:6MrCy904vqxlqBUm/MdW5c1u31PTaEtfhacB+GDm:syL8qpMAXhTDaoDm

Score

10^/10

healer redline dumud dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral4/memory/2840-15-0x0000000002150000-0x000000000216A000-memory.dmp	healer
behavioral4/memory/2840-18-0x0000000002420000-0x0000000002438000-memory.dmp	healer
behavioral4/memory/2840-37-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-45-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-43-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-41-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-39-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-35-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-33-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-47-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-20-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-31-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-29-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-27-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-25-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-23-0x0000000002420000-0x0000000002432000-memory.dmp	healer
behavioral4/memory/2840-21-0x0000000002420000-0x0000000002432000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8202175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8202175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8202175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8202175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8202175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8202175.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000700000002342e-52.dat	family_redline
behavioral4/memory/4276-54-0x0000000000EE0000-0x0000000000F10000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1536	y9059190.exe
2840	k8202175.exe
4276	l1357371.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8202175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8202175.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9059190.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4056	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2840	k8202175.exe
2840	k8202175.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	k8202175.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1536	2028	22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe	82
PID 2028 wrote to memory of 1536	2028	22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe	82
PID 2028 wrote to memory of 1536	2028	22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe	82
PID 1536 wrote to memory of 2840	1536	y9059190.exe	83
PID 1536 wrote to memory of 2840	1536	y9059190.exe	83
PID 1536 wrote to memory of 2840	1536	y9059190.exe	83
PID 1536 wrote to memory of 4276	1536	y9059190.exe	94
PID 1536 wrote to memory of 4276	1536	y9059190.exe	94
PID 1536 wrote to memory of 4276	1536	y9059190.exe	94

C:\Users\Admin\AppData\Local\Temp\22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe
"C:\Users\Admin\AppData\Local\Temp\22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9059190.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9059190.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8202175.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8202175.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1357371.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1357371.exe
    3⤵
    - Executes dropped EXE
    PID:4276

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9059190.exe

Filesize
307KB

MD5
ff629d5a8b6c5119b595f0dbf64ae3cc

SHA1
1d19a95932445aa394199c9c28f128d8e6ecb203

SHA256
4f4e29cb128488d30d32248cb2cc720bcd2a3a531f5757ba469b1e3291917c50

SHA512
f04b5e039818ccf823aa9a8836c392d457ddc3ad2e24d62acdba1da7ac429fe4e0c0547992b00c7a66f00524f6dcea85f8716d5ec8157e4c26835a077e0c708d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8202175.exe

Filesize
180KB

MD5
6747e2e8389b6373f7691d4959b92cd8

SHA1
a5220aca6ee687ef265d553907805c33a704c587

SHA256
45dd401476d48bed71dd2a28ae94f609bb6e0c16f29c2d7ab7dca4c6b29147ab

SHA512
846799b6b270280233e080724d6366d09d323fe01c134f3f56dca111489ded4d0186a1c5c6fc8820ed4cbbce4da9fc9bf5915fc9582f0ace1f95aaa695cc5860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1357371.exe

Filesize
168KB

MD5
42a1f9b3a5a2c4c73e828d55fdaeaebd

SHA1
f277cd9b4ce1c3b4d0d531ee35bfbc364f7d751c

SHA256
9df439ac0f891b4ecc61aac64a0d37babce875a397f11e80cc29ad5063e3e520

SHA512
a7c9e8d175567e3d4dce71d10a1829d03826aa760ab237ed49ef8d79b7972225f5b9d84a563613294d37d97831bee0cf3355b4246275e7d181066b30ae624fc8

Download Submit
memory/2840-47-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-16-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/2840-31-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-18-0x0000000002420000-0x0000000002438000-memory.dmp

Filesize
96KB

Download
memory/2840-19-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/2840-37-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-45-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-43-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-41-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-39-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-35-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-48-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/2840-33-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-15-0x0000000002150000-0x000000000216A000-memory.dmp

Filesize
104KB

Download
memory/2840-20-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-17-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/2840-29-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-27-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-25-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-23-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-21-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2840-50-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/2840-14-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/4276-54-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download
memory/4276-55-0x00000000017D0000-0x00000000017D6000-memory.dmp

Filesize
24KB

Download
memory/4276-56-0x000000000B260000-0x000000000B878000-memory.dmp

Filesize
6.1MB

Download
memory/4276-57-0x000000000AD50000-0x000000000AE5A000-memory.dmp

Filesize
1.0MB

Download
memory/4276-58-0x000000000AC80000-0x000000000AC92000-memory.dmp

Filesize
72KB

Download
memory/4276-59-0x000000000ACE0000-0x000000000AD1C000-memory.dmp

Filesize
240KB

Download
memory/4276-60-0x00000000030D0000-0x000000000311C000-memory.dmp

Filesize
304KB

Download