Analysis Overview
SHA256
199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a
Threat Level: Known bad
The file 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
RedLine
Redline family
Modifies Windows Defender Real-time Protection settings
Healer family
RedLine payload
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 23:23
Reported
2024-11-06 23:26
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe
"C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1388
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe
| MD5 | e4ef7dfd93dea32928ebeba3b2ce7bb9 |
| SHA1 | d898e18016487c44de13e376fc2a03ba52500c7f |
| SHA256 | fb984c3ea9bd73a5492cfb5f8cbe96efab00cccf05ff14339dc369c9d44cc6ad |
| SHA512 | 4eb41fbd9954e6323ebf1d0cb4e5b47909018a926fac6d513beb6e45ad0880c82b1d5632e304b795165363e4a1d363cbfe42811f5a7f7e9feeb8f21ddb034685 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe
| MD5 | b1b17e50a2f82d03df9e21458a3b38bd |
| SHA1 | e784a0d759645adc7c2200f21a23e992797318b3 |
| SHA256 | 9f7947645dd14d4830abc380934766586345dc6503bf0d3070aea01cd17b1ade |
| SHA512 | b0884ccf4d2acfbe3b78d97a1b151d6ea8fff8d231da322c19a99c228a63fc3ddd17e7c07cb90ccbfaccae93757b8beb36153f9b3b59db37e4ce61360003da0b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe
| MD5 | e985998f41151beecdc63faae3fb48a6 |
| SHA1 | b5ddb794e981d65ea24b971460ad5ae6829bc425 |
| SHA256 | d2533596ac5658440b3e57d5ae6b53b6a8a5f016203b9e582fadca9347b7dbbe |
| SHA512 | cd82da593e5b90ce2c174ba3a3d9cee5c9539e0c37235d802e5c75efd4362190296f73ee30a1a93e514e11d964e2c283cb51964aa96f668adb7f01049dcacb38 |
memory/2676-22-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/2676-23-0x00000000023C0000-0x00000000023DA000-memory.dmp
memory/2676-24-0x0000000004A90000-0x0000000005034000-memory.dmp
memory/2676-25-0x0000000004A60000-0x0000000004A78000-memory.dmp
memory/2676-29-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-53-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-51-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-49-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-47-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-45-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-43-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-42-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-39-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-37-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-35-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-33-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-31-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-26-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-27-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/2676-54-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/2676-55-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/2676-57-0x0000000000400000-0x00000000004BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe
| MD5 | 0f124e24fe73195dd107aab785488ca9 |
| SHA1 | 22d33378786cca1d90b5f49358fb93156cb52a45 |
| SHA256 | 77fe098332cb95ab56650e8512439805bcad3d2863a519369c4c5b1e5ff78cb6 |
| SHA512 | d2351dc6355f4d6cf3290c2c84ba2560a5df289cdb28bd410af1edbeb7cf6423e1fa8354e8e65336daec0bec74624f323b4f13ab5eed2c95b77189ba119343e9 |
memory/2212-62-0x00000000025E0000-0x0000000002648000-memory.dmp
memory/2212-63-0x0000000005230000-0x0000000005296000-memory.dmp
memory/2212-73-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-79-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-97-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-93-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-91-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-89-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-87-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-85-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-83-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-81-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-77-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-75-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-71-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-69-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-95-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-67-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-65-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-64-0x0000000005230000-0x0000000005290000-memory.dmp
memory/2212-2206-0x0000000005420000-0x0000000005452000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/5464-2219-0x0000000000CC0000-0x0000000000CEE000-memory.dmp
memory/5464-2220-0x00000000055E0000-0x00000000055E6000-memory.dmp
memory/5464-2221-0x0000000005CB0000-0x00000000062C8000-memory.dmp
memory/5464-2222-0x00000000057A0000-0x00000000058AA000-memory.dmp
memory/5464-2223-0x0000000005630000-0x0000000005642000-memory.dmp
memory/5464-2224-0x00000000056D0000-0x000000000570C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe
| MD5 | 8abb261bd0e7255e98af2fdcc12caa64 |
| SHA1 | 880211c94ad958f54123bf8e38bf536e37448af8 |
| SHA256 | 43398a966aeef51c58f3520b0b4ae432ccb3e96641b59fcb1e3522739520701d |
| SHA512 | 9d512eeb75ae89e32963d6b1ceb129d8274de4bc1d3950c6041d8da6e931c0eb0652d9770c95b528abbfb5d8b34cf9b71ff8380007284429eae143cdea61a2c4 |
memory/5464-2229-0x0000000005710000-0x000000000575C000-memory.dmp
memory/5148-2230-0x0000000000170000-0x00000000001A0000-memory.dmp
memory/5148-2231-0x0000000002380000-0x0000000002386000-memory.dmp