Analysis Overview
SHA256
a9c719cd3711701f407220c215b9377f88b7f6984f16c8071b589ebb4816bbac
Threat Level: Known bad
The file a9c719cd3711701f407220c215b9377f88b7f6984f16c8071b589ebb4816bbac was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
Healer family
Detects Healer an antivirus disabler dropper
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 23:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 23:51
Reported
2024-11-06 23:56
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un508965.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un524319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk806576.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a9c719cd3711701f407220c215b9377f88b7f6984f16c8071b589ebb4816bbac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un508965.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un524319.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk806576.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9c719cd3711701f407220c215b9377f88b7f6984f16c8071b589ebb4816bbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un508965.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un524319.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9c719cd3711701f407220c215b9377f88b7f6984f16c8071b589ebb4816bbac.exe
"C:\Users\Admin\AppData\Local\Temp\a9c719cd3711701f407220c215b9377f88b7f6984f16c8071b589ebb4816bbac.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un508965.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un508965.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un524319.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un524319.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1104
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1724 -ip 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1380
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk806576.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk806576.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un508965.exe
| MD5 | d73f2388e505c301099173a37f1504f4 |
| SHA1 | 6e5b94b81da42b8dbbace26cf052efc498e07ef4 |
| SHA256 | d22ba6737b915dc3633db540b01786de3fb0a422c8fc86105951db8146662d9a |
| SHA512 | b786c5d00f176e6496127c0150ba76907f7bf455d82d842ecf95779da3c63c528716e2edf63d3af66e48adf77015c19598e831a6a419af7a1a33c0edd2264aa8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un524319.exe
| MD5 | 18e27221789e9977faf7f00a899bcda7 |
| SHA1 | 37fe63bdaf4275273c4061ef5c965c1ddf476d2f |
| SHA256 | a6851b3e9ced7d72473e2c9e77704eeb78dbd258d4183184c11b4153c8f37508 |
| SHA512 | 675c9bab5626df876f0e37022a7592e66ff8601011e388e2c159042e3271695904d6a50f8270ee0b2206d7bb03870c0a9f61dce30639b1f057006c8249c7139f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr734358.exe
| MD5 | a8f53364d930f7d96ca2ad0eb153cca2 |
| SHA1 | 904c2fb7457d0bc7e96e59dbc41e2758627b0b7d |
| SHA256 | 086d8665ca1738bdac7f2d7bb1daca49b39c4c75df11e48512c0e74c17239299 |
| SHA512 | 253cd206e3f4aacf3b1f2e5d21aa933f4814620ade6dea6e95063a1c16f4b5b9c86a5f76ad1467c2098bbda65781f441f039d0103584c8d92913f9ba225d3763 |
memory/3756-22-0x0000000002380000-0x000000000239A000-memory.dmp
memory/3756-23-0x0000000004D70000-0x0000000005314000-memory.dmp
memory/3756-24-0x00000000026C0000-0x00000000026D8000-memory.dmp
memory/3756-28-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-42-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-41-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-52-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-48-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-46-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-44-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-38-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-36-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-34-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-32-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-30-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-26-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-50-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-25-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/3756-53-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/3756-55-0x0000000000400000-0x00000000004BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793734.exe
| MD5 | 5cbecd37f599115620348b0e27550e1e |
| SHA1 | 3fbca0aeb0ac98e99afea475f05a0c4f5fdef6df |
| SHA256 | 831fde2f6abcb75f3c70e6b4028c9a1e8e304e1f3ed167d20da23f799498786e |
| SHA512 | 0ed48f2c71d717dba9305c27b4bc4d2cc05f36db020935061a310f7b78f8bf0417a3564093218c4110a416334cc33993fa83fd73994aaa4c1e4de214c2f6aa28 |
memory/1724-60-0x0000000004A30000-0x0000000004A98000-memory.dmp
memory/1724-61-0x00000000051C0000-0x0000000005226000-memory.dmp
memory/1724-69-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-63-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-62-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-73-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-91-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-89-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-87-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-86-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-79-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-77-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-75-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-71-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-67-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-65-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-95-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-93-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-83-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-81-0x00000000051C0000-0x0000000005220000-memory.dmp
memory/1724-2204-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/3684-2217-0x00000000000B0000-0x00000000000DE000-memory.dmp
memory/3684-2218-0x0000000000820000-0x0000000000826000-memory.dmp
memory/3684-2219-0x0000000005080000-0x0000000005698000-memory.dmp
memory/3684-2220-0x0000000004B70000-0x0000000004C7A000-memory.dmp
memory/3684-2221-0x0000000004920000-0x0000000004932000-memory.dmp
memory/3684-2223-0x0000000004AA0000-0x0000000004ADC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk806576.exe
| MD5 | 138a4316c363fe43b524f46c151f44aa |
| SHA1 | 320f7d8be1557b3514433d56e2bbb47e126747e5 |
| SHA256 | 2e4956d758f237097bbaae0c82eac2f3ac0208a0e6a298aff137eb8f25e65027 |
| SHA512 | 7f4053a092a413d95a4e1121681d9c230dbbd36173de6d4ae130e2a533784909b5f46f88aa9385ef24137878005324170784b537bcca418c7157b8fad552afd2 |
memory/640-2227-0x0000000000CB0000-0x0000000000CE0000-memory.dmp
memory/640-2228-0x0000000003080000-0x0000000003086000-memory.dmp
memory/3684-2229-0x0000000004AE0000-0x0000000004B2C000-memory.dmp