Analysis Overview
SHA256
a53587ef301becac798c694804c61691a814e0dc85d2fe5e131b152ab698c86b
Threat Level: Known bad
The file a53587ef301becac798c694804c61691a814e0dc85d2fe5e131b152ab698c86b was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Redline family
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:59
Reported
2024-11-04 14:02
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3318492.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3838268.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a53587ef301becac798c694804c61691a814e0dc85d2fe5e131b152ab698c86b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3318492.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a53587ef301becac798c694804c61691a814e0dc85d2fe5e131b152ab698c86b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3318492.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3838268.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a53587ef301becac798c694804c61691a814e0dc85d2fe5e131b152ab698c86b.exe
"C:\Users\Admin\AppData\Local\Temp\a53587ef301becac798c694804c61691a814e0dc85d2fe5e131b152ab698c86b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3318492.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3318492.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3838268.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3838268.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3318492.exe
| MD5 | 6953d1bca5580c99bd95946ab4069582 |
| SHA1 | 42794607b797b874499c6716cb068b93d2ec7304 |
| SHA256 | 9e0490e64c429e7ba56d14de9ba4cffc6665ff7c57a055c91339d2b44413698b |
| SHA512 | a364a27c598c5f6a11dd17910348b83dccb027396d4558ad163e99a33969c11f0d31ec2a4333d09d53eb32763dc856517985b6d70628f60bfc0a5efb26e5ae69 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6160051.exe
| MD5 | cd038e0fa9af945b65a3e71186ce96b0 |
| SHA1 | 4123c28be894d52133aa4730c63f7aaeb26cd10a |
| SHA256 | de85db8db02b28421bfdf1aced0691568decfc68c57f7d071ec5b56eb8b4b259 |
| SHA512 | 25f219af07fe773d2375918ce40aa8f953651d2f904f4c7107808d53b20b5638df12900f4ca310f36f92b69afab36645066843b2b737fa9a03ba0f6fec8401f0 |
memory/3156-14-0x000000007443E000-0x000000007443F000-memory.dmp
memory/3156-15-0x00000000026A0000-0x00000000026BA000-memory.dmp
memory/3156-16-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3156-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/3156-17-0x0000000004B20000-0x00000000050C4000-memory.dmp
memory/3156-19-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3156-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/3156-48-0x000000007443E000-0x000000007443F000-memory.dmp
memory/3156-49-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3156-51-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3838268.exe
| MD5 | 7d97289291e05aa2cdb4c3a7fe93f134 |
| SHA1 | 2b853f8f1d8f5eda6a308347d6251586d7f4266d |
| SHA256 | ba38a2267bf6c74c51cb2bbf0de462363e730e0888a86770eec0ccc6a444e27f |
| SHA512 | 39deca9ee61ccf8eaa123a926a8828fbf929e9c9a08abf34569c17de2bf6e6c0bd9a7048703d03d9adfd78fd6f2902d1f310a1afa48639ac88a398c69eec0135 |
memory/804-55-0x0000000000710000-0x0000000000740000-memory.dmp
memory/804-56-0x00000000029A0000-0x00000000029A6000-memory.dmp
memory/804-57-0x000000000AA70000-0x000000000B088000-memory.dmp
memory/804-58-0x000000000A580000-0x000000000A68A000-memory.dmp
memory/804-59-0x000000000A4B0000-0x000000000A4C2000-memory.dmp
memory/804-60-0x000000000A510000-0x000000000A54C000-memory.dmp
memory/804-61-0x0000000002860000-0x00000000028AC000-memory.dmp