Analysis Overview
SHA256
0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89
Threat Level: Known bad
The file 0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Redline family
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 14:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 14:01
Reported
2024-11-04 14:04
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe
"C:\Users\Admin\AppData\Local\Temp\0339905c8bf3f9bf516b34b943617b08385c97f299d72a39c1af7689f5077a89.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2275570.exe
| MD5 | 10ad2fb448226789680845e8f8950e91 |
| SHA1 | fff24f74ec3fa537e4a042e89dd6d49e6e21c704 |
| SHA256 | 41715fe7b51fa890f1f8dc7d0f5c6dec915528f40d53cee9077d4f2a4f9120fd |
| SHA512 | 9c8d093893d8376345baa5bb5b8320e8466bf45f219a537712d6787b470f1d88638b6326df26c09caec53f0fa8118e14c435861ef2cbf3c585e3063c2a6e75c2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5795935.exe
| MD5 | c5a393d4ce32c576c89bdf41524f7888 |
| SHA1 | adffbae0ac1f18d2d83e5bae3f900ac537bb85a8 |
| SHA256 | b8e336e6cb7f279db22ad97bbe64efc8401e29667a3388bcd7083b37b461cf3c |
| SHA512 | a3b3ca3f15b64cecf220df05a1f8408981cfaadaa8ff296995a10cf81437eac5077df2fb226c11f51831895e6da08a0639b8e326d5b4ff72377c00604d1ae5e3 |
memory/3224-14-0x000000007442E000-0x000000007442F000-memory.dmp
memory/3224-15-0x00000000023C0000-0x00000000023DA000-memory.dmp
memory/3224-16-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/3224-17-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/3224-18-0x00000000049A0000-0x0000000004F44000-memory.dmp
memory/3224-19-0x0000000004F50000-0x0000000004F68000-memory.dmp
memory/3224-23-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-45-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-43-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-41-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-39-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-37-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-35-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-47-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-33-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-31-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-29-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-27-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-25-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-21-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-20-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/3224-48-0x000000007442E000-0x000000007442F000-memory.dmp
memory/3224-49-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/3224-51-0x0000000074420000-0x0000000074BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7874828.exe
| MD5 | aa58b7b3574c62db924a54991a5b776d |
| SHA1 | 0e18b2adc0eb9dd245689381e4c0aa1276d1d9a0 |
| SHA256 | 8d8667c611c544271086cf06704e7daaace3f55c92af6400c720193c50624d2c |
| SHA512 | 89e09957c6ab03148f9bba35e754f57b9bec63e4f4387578ff4a1232c4b15cfa89485797a2a38e2f54810a2475c65731f4bd4882964dce5f77e4a31a20874730 |
memory/840-55-0x0000000000C30000-0x0000000000C58000-memory.dmp
memory/840-56-0x0000000007F40000-0x0000000008558000-memory.dmp
memory/840-57-0x0000000007950000-0x0000000007962000-memory.dmp
memory/840-58-0x0000000007AC0000-0x0000000007BCA000-memory.dmp
memory/840-59-0x00000000079F0000-0x0000000007A2C000-memory.dmp
memory/840-60-0x0000000004ED0000-0x0000000004F1C000-memory.dmp