healer | ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c

General

Target

ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe
Size

689KB
MD5

972fccb408e5adc316919f4e000b8b48
SHA1

2a8841058febe82f88bea6e95ce6407e7d638bf1
SHA256

ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c
SHA512

63d784a71d57a367a5bad899bc77aa9a5cf84a7df0572775266b3cafdca03c07baa65681a60b7e511e1c6fc10814234b49d4fbb3acdfd9051ec41e4bb48e5db0
SSDEEP

12288:KMrxy90AHkifaqXl0nprZWrMdVL+JKizOcrNEfJs40S9P6KKNg:/yz9CqXl0nY4L+JlnNEfr0y6Kx

Score

10^/10

healer redline lint discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lint

C2

193.233.20.28:4125

Attributes

auth_value
0e95262fb78243c67430f3148303e5b7

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb6-19.dat	healer
behavioral1/memory/1708-22-0x0000000000710000-0x000000000071A000-memory.dmp	healer
behavioral1/memory/4740-29-0x00000000048E0000-0x00000000048FA000-memory.dmp	healer
behavioral1/memory/4740-31-0x0000000004C40000-0x0000000004C58000-memory.dmp	healer
behavioral1/memory/4740-32-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-41-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-59-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-58-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-55-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-53-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-51-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-49-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-47-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-45-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-43-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-39-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-37-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-35-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral1/memory/4740-33-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	py41PA64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	py41PA64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	py41PA64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ns1270fL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ns1270fL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ns1270fL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ns1270fL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	py41PA64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ns1270fL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ns1270fL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	py41PA64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	py41PA64.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb4-64.dat	family_redline
behavioral1/memory/2584-66-0x0000000000750000-0x0000000000782000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1988	will4365.exe
860	will1157.exe
1708	ns1270fL.exe
4740	py41PA64.exe
2584	qs0146tM.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ns1270fL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	py41PA64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	py41PA64.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	will4365.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	will1157.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2228	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3008	4740	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	will4365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	will1157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	py41PA64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qs0146tM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1708	ns1270fL.exe
1708	ns1270fL.exe
4740	py41PA64.exe
4740	py41PA64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	ns1270fL.exe
Token: SeDebugPrivilege	4740	py41PA64.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 1988	4752	ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe	84
PID 4752 wrote to memory of 1988	4752	ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe	84
PID 4752 wrote to memory of 1988	4752	ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe	84
PID 1988 wrote to memory of 860	1988	will4365.exe	86
PID 1988 wrote to memory of 860	1988	will4365.exe	86
PID 1988 wrote to memory of 860	1988	will4365.exe	86
PID 860 wrote to memory of 1708	860	will1157.exe	87
PID 860 wrote to memory of 1708	860	will1157.exe	87
PID 860 wrote to memory of 4740	860	will1157.exe	94
PID 860 wrote to memory of 4740	860	will1157.exe	94
PID 860 wrote to memory of 4740	860	will1157.exe	94
PID 1988 wrote to memory of 2584	1988	will4365.exe	98
PID 1988 wrote to memory of 2584	1988	will4365.exe	98
PID 1988 wrote to memory of 2584	1988	will4365.exe	98

C:\Users\Admin\AppData\Local\Temp\ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe
"C:\Users\Admin\AppData\Local\Temp\ccccf8efa3c68306fdbb396deb4f8b722aeb3c16e0814ecf3d32d045c4dfa13c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4365.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4365.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1157.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1157.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1270fL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1270fL.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py41PA64.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py41PA64.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1096
        5⤵
        Program crash
        
        PID:3008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0146tM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0146tM.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4740 -ip 4740
1⤵
PID:4164

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4365.exe

Filesize
502KB

MD5
01b4261a985178052bda755aa0890eda

SHA1
19706e7c8b648b6b921d1928935c7885cc07109c

SHA256
6463f41f27a680c0dd46430b41f241abc00f512ac5472a74b36f002391506cbd

SHA512
addbba3e54f5d552445105078b48fba7b71c27f1f38448a45f5efe1b387a22abe8eca8f2735cc25258b240bfeb8445f321a4dda9a4e6f7cded6c2a4d4d0b0e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs0146tM.exe

Filesize
175KB

MD5
0ecc8ab62b7278cc6650517251f1543c

SHA1
b4273cda193a20d48e83241275ffc34ddad412f2

SHA256
b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a

SHA512
c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1157.exe

Filesize
357KB

MD5
cea0f7cd2834183c86db182b01ef5bb8

SHA1
ef36c855b340ea7f19b5257e8a75386ef5a925ef

SHA256
bf866ebb29761841aa29a6cd2d0909cf710e9333032ca2eff47ff09798e0f52c

SHA512
0e64046d647e9d922628f21862fa651380d5d46095a0b212c57c53ec3cb8aa6762f14580a124b1297266d6965c142ffddb4645a1e6054d6b590ce942f4a62eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns1270fL.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py41PA64.exe

Filesize
337KB

MD5
1c455e53c0acc012367ef0e8b2a07417

SHA1
d40132ac0a53ee4233da9e6c55a413c4fb32b3b0

SHA256
65169453b47373de540d799403f0d97c7fef85a9a6bcb4dc787813ce708a5b71

SHA512
682fa4e67f94055d9f1519b16f89913a39b44370c30b1fa42b7b23462904ce01cc2a31d0a81d073d01c9f67da3951c493b8e43d977c1d44cbdbfd8f6f095ccb7

Download Submit
memory/1708-21-0x00007FFFD1D33000-0x00007FFFD1D35000-memory.dmp

Filesize
8KB

Download
memory/1708-23-0x00007FFFD1D33000-0x00007FFFD1D35000-memory.dmp

Filesize
8KB

Download
memory/1708-22-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/2584-71-0x0000000005200000-0x000000000524C000-memory.dmp

Filesize
304KB

Download
memory/2584-70-0x0000000005080000-0x00000000050BC000-memory.dmp

Filesize
240KB

Download
memory/2584-69-0x0000000005020000-0x0000000005032000-memory.dmp

Filesize
72KB

Download
memory/2584-68-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/2584-67-0x0000000005570000-0x0000000005B88000-memory.dmp

Filesize
6.1MB

Download
memory/2584-66-0x0000000000750000-0x0000000000782000-memory.dmp

Filesize
200KB

Download
memory/4740-51-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-35-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-55-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-49-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-47-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-45-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-43-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-39-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-37-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-53-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-33-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-60-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/4740-58-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-59-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-62-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/4740-41-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-32-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/4740-31-0x0000000004C40000-0x0000000004C58000-memory.dmp

Filesize
96KB

Download
memory/4740-30-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/4740-29-0x00000000048E0000-0x00000000048FA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads