Analysis Overview
SHA256
cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368
Threat Level: Known bad
The file cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Healer
Healer family
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:57
Reported
2024-11-04 13:59
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe
"C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe
| MD5 | b5358e924b1f5e831d0499355e445b4d |
| SHA1 | 86a6dbb2931d0863df71444beba43f8e26ea12c4 |
| SHA256 | 910341b9744085533e0a070fce0b1b747f97f76c6f38045cb9dfda3bcc3f85fe |
| SHA512 | 7d7f95a7e9cac8ead42a5565ab3ec8751b50699e6ba57e0410f6a32e7c87b43d6dc2e37c7471884c6efee4632788317aa2aa95eaea8088de23a1adcb89bd9ef5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe
| MD5 | 2b71f4b18ac8214a2bff547b6ce2f64f |
| SHA1 | b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5 |
| SHA256 | f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc |
| SHA512 | 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177 |
memory/4444-14-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/4444-15-0x0000000002050000-0x000000000206A000-memory.dmp
memory/4444-17-0x0000000004BA0000-0x0000000005144000-memory.dmp
memory/4444-16-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/4444-18-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/4444-19-0x0000000002440000-0x0000000002458000-memory.dmp
memory/4444-29-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-47-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-45-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-43-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-41-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-39-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-37-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-35-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-33-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-31-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-27-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-25-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-23-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-21-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-20-0x0000000002440000-0x0000000002453000-memory.dmp
memory/4444-48-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/4444-49-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/4444-50-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/4444-52-0x0000000073CC0000-0x0000000074470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe
| MD5 | 936efdf88e92c221a62e18fae00f517f |
| SHA1 | 77aa45464e97d367b75ba39d7340fed5039d00e5 |
| SHA256 | 3f57f27351c33bf50e4ad67558516e3b5bfe8e59b8f6d12543edd8180073dd73 |
| SHA512 | 972c5ca32e84476f0bf9b28be1340f722f5d8eaf4f06a3f4ca2dc6676b16d2d6b8969cbb602606d288e0ae6ff13731bc3405a5fe3e418b9c0ab70435cd6b3fe1 |
memory/4692-57-0x0000000004A80000-0x0000000004ABC000-memory.dmp
memory/4692-58-0x0000000004B20000-0x0000000004B5A000-memory.dmp
memory/4692-62-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-68-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-94-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-92-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-88-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-86-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-84-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-83-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-80-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-78-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-76-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-74-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-73-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-66-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-64-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-90-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-70-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-60-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-59-0x0000000004B20000-0x0000000004B55000-memory.dmp
memory/4692-851-0x0000000009D90000-0x000000000A3A8000-memory.dmp
memory/4692-852-0x00000000072D0000-0x00000000072E2000-memory.dmp
memory/4692-853-0x000000000A3B0000-0x000000000A4BA000-memory.dmp
memory/4692-854-0x0000000007300000-0x000000000733C000-memory.dmp
memory/4692-855-0x000000000A4F0000-0x000000000A53C000-memory.dmp