healer | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
Size

496KB
MD5

9aef86abcad029040fa01e67befa91f9
SHA1

9dcbf47ce36595b3eefe59bb1ea833ae5e9d5065
SHA256

6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759
SHA512

929d5efbf2ed51ded7b4d9a0a3c98cfb6ae8c6142e2dcb7f890e3d61243172d7efb24a367ad10165800dc96ac810fb204a9f3de239ff395e94f6305152af88b7
SSDEEP

12288:wMrty90BxdBF3rKeE9ITD0lIfcVLpOrxf5++O/:Ny4/BFVEzIBrxfg

Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral8/files/0x00080000000233d7-20.dat	healer
behavioral8/memory/720-22-0x0000000000F00000-0x0000000000F0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1812582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1812582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1812582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1812582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1812582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1812582.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/files/0x00070000000233d8-25.dat	family_redline
behavioral8/memory/3216-27-0x0000000000070000-0x00000000000A0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2748	v1155262.exe
4600	v8607123.exe
720	a1812582.exe
3216	c5253347.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1812582.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1155262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8607123.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
720	a1812582.exe
720	a1812582.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	a1812582.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2748	2252	6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe	83
PID 2252 wrote to memory of 2748	2252	6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe	83
PID 2252 wrote to memory of 2748	2252	6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe	83
PID 2748 wrote to memory of 4600	2748	v1155262.exe	84
PID 2748 wrote to memory of 4600	2748	v1155262.exe	84
PID 2748 wrote to memory of 4600	2748	v1155262.exe	84
PID 4600 wrote to memory of 720	4600	v8607123.exe	85
PID 4600 wrote to memory of 720	4600	v8607123.exe	85
PID 4600 wrote to memory of 3216	4600	v8607123.exe	93
PID 4600 wrote to memory of 3216	4600	v8607123.exe	93
PID 4600 wrote to memory of 3216	4600	v8607123.exe	93

C:\Users\Admin\AppData\Local\Temp\6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
"C:\Users\Admin\AppData\Local\Temp\6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1155262.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1155262.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8607123.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8607123.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1812582.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1812582.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5253347.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5253347.exe
      4⤵
      Executes dropped EXE
      PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1155262.exe

Filesize
371KB

MD5
fcf1f57155d18dc3eeeae3ba3024c5cd

SHA1
3c46a30cba2929a86ffa982c7214d4f9a05ea007

SHA256
871749affcfa66318f224cc36dba90f91a6b61711d9b0f60ca3a750fce692671

SHA512
75c0dfa105fbd900e09920e9997febcafd3c4fcdb48b0935bb964e48bca4776c5ae53d7ffbb1e5e8665680d37f2bd45b66f7c0a1b54321d5e785889b040e2150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8607123.exe

Filesize
206KB

MD5
66e3b9b7f36e7de3e95b1c401fff6848

SHA1
50dcaf103c73dc81cf911605ebed639e1fa59219

SHA256
1a8d08a91d00544852fc393dd2837f086b6ed5db68d77eaebb912378c9a589ce

SHA512
823215218b7296cf325c8102730d5910c57a374d254c7e300d9a48f776efb01ea2e8a695fbfdb2b9f468154e8c0108e3fe1c159f58e45adc84ef733ad3417dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1812582.exe

Filesize
11KB

MD5
7d232b9f7a79a7957af9ca7a3833e7a3

SHA1
053a701744f111bc3a16e7e0664582e1bdb21a36

SHA256
afcd27d1469fd1ee627590f52914fa97d67e63c8b61b56b5c05112bc6b72c537

SHA512
636a7ed235650653ca6a8cde12264733f37246d9654242880bb0475b9c73f504956f33fee3cca39477e23f4ddd24602586b9b73af69260db3a3604d68291d557

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5253347.exe

Filesize
175KB

MD5
766ebcd4226d2ce03977e88693cc8904

SHA1
0f3540079f6d4b0becf56de695684d10b3eb79b3

SHA256
c668bf6d646ee4e28aaa20f28a72e31b1f383af3d125650a4ac3b4ccdb875744

SHA512
64dd98eda60d7e667420d844540e7eea17aab19fad1a964fa16361adcb2b5b2220d6f43d4e0c45174772294401fba1b285dba209043001ee9cb59053e4062432

Download Submit
memory/720-21-0x00007FFD5B4D3000-0x00007FFD5B4D5000-memory.dmp

Filesize
8KB

Download
memory/720-22-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/3216-27-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/3216-28-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/3216-29-0x000000000A4E0000-0x000000000AAF8000-memory.dmp

Filesize
6.1MB

Download
memory/3216-30-0x000000000A020000-0x000000000A12A000-memory.dmp

Filesize
1.0MB

Download
memory/3216-31-0x0000000009F50000-0x0000000009F62000-memory.dmp

Filesize
72KB

Download
memory/3216-32-0x0000000009FB0000-0x0000000009FEC000-memory.dmp

Filesize
240KB

Download
memory/3216-33-0x00000000043B0000-0x00000000043FC000-memory.dmp

Filesize
304KB

Download