healer | 54a724762de2b08068bc2bf0fc6c7404bb89bdf62f75cac32b4fb8687c10c747

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe
Size

1.0MB
MD5

22b5f7bbf08fd60f2ee850f51efede9e
SHA1

9ad6d7fdfda1459be16d4e59547a0d933f7c9551
SHA256

062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b
SHA512

6fcb688dd391ed951fef4cd75c8935f65dde1f99658eb8b3438f40837050eb77cdd5425b0325c0b4df069a8dc83bc9ae53d464612f76ebb4914f222f22272744
SSDEEP

24576:XypmCQ2FZ4/Ldo7RGJawprnjhmJcVGTEq:ivFsLdQRIrjYc7

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/2752-34-0x00000000005C0000-0x00000000005FE000-memory.dmp	healer
behavioral1/files/0x000700000002342d-39.dat	healer
behavioral1/memory/60-41-0x0000000000930000-0x000000000093A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6312790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b2598163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b2598163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b2598163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b2598163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6312790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6312790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6312790.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b2598163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b2598163.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6312790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6312790.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/2016-46-0x00000000006A0000-0x000000000072C000-memory.dmp	family_redline
behavioral1/memory/2016-53-0x00000000006A0000-0x000000000072C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1512	v0411721.exe
1344	v7601960.exe
1592	v4320645.exe
2752	a6312790.exe
60	b2598163.exe
2016	c6769239.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6312790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6312790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b2598163.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4320645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0411721.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7601960.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2752	a6312790.exe
2752	a6312790.exe
60	b2598163.exe
60	b2598163.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	a6312790.exe
Token: SeDebugPrivilege	60	b2598163.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1512	2096	062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe	82
PID 2096 wrote to memory of 1512	2096	062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe	82
PID 2096 wrote to memory of 1512	2096	062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe	82
PID 1512 wrote to memory of 1344	1512	v0411721.exe	83
PID 1512 wrote to memory of 1344	1512	v0411721.exe	83
PID 1512 wrote to memory of 1344	1512	v0411721.exe	83
PID 1344 wrote to memory of 1592	1344	v7601960.exe	84
PID 1344 wrote to memory of 1592	1344	v7601960.exe	84
PID 1344 wrote to memory of 1592	1344	v7601960.exe	84
PID 1592 wrote to memory of 2752	1592	v4320645.exe	85
PID 1592 wrote to memory of 2752	1592	v4320645.exe	85
PID 1592 wrote to memory of 2752	1592	v4320645.exe	85
PID 1592 wrote to memory of 60	1592	v4320645.exe	96
PID 1592 wrote to memory of 60	1592	v4320645.exe	96
PID 1344 wrote to memory of 2016	1344	v7601960.exe	97
PID 1344 wrote to memory of 2016	1344	v7601960.exe	97
PID 1344 wrote to memory of 2016	1344	v7601960.exe	97

C:\Users\Admin\AppData\Local\Temp\062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe
"C:\Users\Admin\AppData\Local\Temp\062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0411721.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0411721.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7601960.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7601960.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4320645.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4320645.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6312790.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6312790.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2598163.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2598163.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6769239.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6769239.exe
      4⤵
      Executes dropped EXE
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0411721.exe

Filesize
905KB

MD5
ad72cc6886ddff9914f13887f2adb384

SHA1
646f777611a343ca5676544cb133858d7cfca913

SHA256
f7770eb0c170f8c0abea65c7263a80f050ea570adf35e2460162d643105aa9af

SHA512
6e278a2937b63e053a8ca8629a0c5440d8d6fdbca2242a9229c93f15f6738ad3db4efd3a26cbd3109b1badca740ddb295c97195e410e3cddfb8df8af92f5f864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7601960.exe

Filesize
722KB

MD5
9a9f44c2cded730a89314f521133faa0

SHA1
7c5706e40c464c079ff9e2acd4163aa74a4b7226

SHA256
586c545ddb2ef72b6b95afd33bba893eeab7366d9f58d887c33a56bdc38cd73b

SHA512
7f4cf9a87bb11de5790431576b0c81e8f6f491cd5a9854bc199ab5b3705d355ea76d84b0db2efe447feaec1664d2b218caa64f220da938802f69189ad98e2623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6769239.exe

Filesize
493KB

MD5
e63cc9c1471d127ec04f223f9d44f012

SHA1
33f5fd6f7d716718e93a1bee8d84de505876a8f7

SHA256
3ce41fc47f271a4fb98bd149c8ddbaa5ef669d8c89660491381e14c956acbe33

SHA512
4bd33c967ddad776367dc22e4ae5afc67f4e5f770a273d37d0e222e1b1f5cd1331a395f059a839c752ef5dec110c881fa8f6f418782f21a1b0fcd706520c5d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4320645.exe

Filesize
324KB

MD5
8c47da470aa374be9794b719e021713c

SHA1
524629f0104071c313325aca963022b7c72f5620

SHA256
35e80fe8662be45ceadb1a7aaaacd22b553fb653f68140f16873a4b2c2b7b745

SHA512
82018124afa90be176377af552765e3b25b5ceecf40c7c3fa6d8286d2edb39bcb46d2f462e54ee6abf7e4909dd3f87fbf0984ec19ad5f70cc9b6bc618fe569a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6312790.exe

Filesize
295KB

MD5
fd942d1fea79616e292401f55de80dea

SHA1
8c9d24388d605b3b992c2672c26c7e0a09e2d832

SHA256
8a6ca862f1c502f9d0581b868d997097b3e94d4296cfde25a9fe448f6f6682bc

SHA512
efdd894a48c1dd26791c57a0ac3e8654da876b6fc1947b385081c8b1548389d11f5c31081ab13e99c75769b2393aa6a43147ffb815cd6c88cb63156e8539b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2598163.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/60-41-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2016-53-0x00000000006A0000-0x000000000072C000-memory.dmp

Filesize
560KB

Download
memory/2016-46-0x00000000006A0000-0x000000000072C000-memory.dmp

Filesize
560KB

Download
memory/2016-55-0x00000000043F0000-0x00000000043F6000-memory.dmp

Filesize
24KB

Download
memory/2016-56-0x00000000049F0000-0x0000000005008000-memory.dmp

Filesize
6.1MB

Download
memory/2016-57-0x00000000050A0000-0x00000000051AA000-memory.dmp

Filesize
1.0MB

Download
memory/2016-58-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/2016-59-0x00000000051F0000-0x000000000522C000-memory.dmp

Filesize
240KB

Download
memory/2016-60-0x0000000005260000-0x00000000052AC000-memory.dmp

Filesize
304KB

Download
memory/2752-34-0x00000000005C0000-0x00000000005FE000-memory.dmp

Filesize
248KB

Download
memory/2752-35-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/2752-28-0x00000000005C0000-0x00000000005FE000-memory.dmp

Filesize
248KB

Download