Analysis Overview
SHA256
abb058cbee27b24a9e51c03ee4f66da2de85ccf69a93197f4dfd0f483d1aed6a
Threat Level: Known bad
The file abb058cbee27b24a9e51c03ee4f66da2de85ccf69a93197f4dfd0f483d1aed6a was found to be: Known bad.
Malicious Activity Summary
Healer
Detects Healer an antivirus disabler dropper
RedLine
Modifies Windows Defender Real-time Protection settings
RedLine payload
Redline family
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:57
Reported
2024-11-04 13:59
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk478581.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\abb058cbee27b24a9e51c03ee4f66da2de85ccf69a93197f4dfd0f483d1aed6a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207601.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abb058cbee27b24a9e51c03ee4f66da2de85ccf69a93197f4dfd0f483d1aed6a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207601.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk478581.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk478581.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abb058cbee27b24a9e51c03ee4f66da2de85ccf69a93197f4dfd0f483d1aed6a.exe
"C:\Users\Admin\AppData\Local\Temp\abb058cbee27b24a9e51c03ee4f66da2de85ccf69a93197f4dfd0f483d1aed6a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207601.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207601.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk478581.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk478581.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207601.exe
| MD5 | a480a28f4555344cf98fc0b9d464c3a1 |
| SHA1 | 2e440cea08c21efa1ffb934c350923844ff268e7 |
| SHA256 | f0cd5b6a21cecab61465f9fa7338e3dcf0a3fd1e0bd27682342dcec3778d87e2 |
| SHA512 | 208557b261f0af0e33b47136ecd48ada17eea658ac88d505b1e95c0828373149774be7f9c371043cae0ba91b249087590ee5a59d0935555e216eb06c03f6e5d6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18588871.exe
| MD5 | 702734e87fe97e259588ca788822243c |
| SHA1 | 10af4841ab940aab4e7717d621a43689bf47007c |
| SHA256 | b40f6d2c2eac466d8cfba988dc177949d0502414685aaec9c6f7c8fc2a1a875a |
| SHA512 | 58c79f9457f5d4627b40045a12d558c900e5b1d97ad49d9656870be88e0b7ca4d7cd3e6f6eeccfe9ef1d9f94dcc3abbb4e3eb2001c76e481391d1982c0afa221 |
memory/3608-16-0x00000000005E0000-0x000000000060D000-memory.dmp
memory/3608-15-0x0000000000680000-0x0000000000780000-memory.dmp
memory/3608-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3608-18-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3608-19-0x0000000002240000-0x000000000225A000-memory.dmp
memory/3608-20-0x0000000004B90000-0x0000000005134000-memory.dmp
memory/3608-21-0x00000000022E0000-0x00000000022F8000-memory.dmp
memory/3608-22-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-43-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-49-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-47-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-41-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-39-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-38-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-35-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-33-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-31-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-29-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-27-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-25-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-23-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-45-0x00000000022E0000-0x00000000022F3000-memory.dmp
memory/3608-50-0x0000000000680000-0x0000000000780000-memory.dmp
memory/3608-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3608-54-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3608-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk478581.exe
| MD5 | 7a93eb252e4e4758b443118876e5948b |
| SHA1 | 4d56c039d407a3406825d9d3ddc6930d401a1649 |
| SHA256 | c3e08559cecfc4ca4d9895285d95c1ece0538003a4efd292cc8df216a83b4c23 |
| SHA512 | 3416c86b2778dd9fa5942929ddc9248c8a081ce63e2c008894d422e2a0f594c7b8c76b4457feb34a90e2dca2f50a296a1566ca10a1e29864cb7549e5b8e8b7af |
memory/4884-60-0x00000000025D0000-0x000000000260C000-memory.dmp
memory/4884-61-0x0000000002760000-0x000000000279A000-memory.dmp
memory/4884-67-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-75-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-95-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-93-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-91-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-87-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-85-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-83-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-81-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-79-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-73-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-71-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-69-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-89-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-77-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-65-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-63-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-62-0x0000000002760000-0x0000000002795000-memory.dmp
memory/4884-854-0x0000000007640000-0x0000000007C58000-memory.dmp
memory/4884-855-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/4884-856-0x0000000007C60000-0x0000000007D6A000-memory.dmp
memory/4884-857-0x0000000004CC0000-0x0000000004CFC000-memory.dmp
memory/4884-858-0x0000000002290000-0x00000000022DC000-memory.dmp