Analysis Overview
SHA256
f26ecc3bfbfc14f505e8af1afd15c613767c25d22eb9fb7527f5876be8533851
Threat Level: Known bad
The file f26ecc3bfbfc14f505e8af1afd15c613767c25d22eb9fb7527f5876be8533851 was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 23:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 23:35
Reported
2024-11-07 23:38
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114213.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un258325.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk824130.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f26ecc3bfbfc14f505e8af1afd15c613767c25d22eb9fb7527f5876be8533851.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114213.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un258325.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk824130.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f26ecc3bfbfc14f505e8af1afd15c613767c25d22eb9fb7527f5876be8533851.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114213.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un258325.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f26ecc3bfbfc14f505e8af1afd15c613767c25d22eb9fb7527f5876be8533851.exe
"C:\Users\Admin\AppData\Local\Temp\f26ecc3bfbfc14f505e8af1afd15c613767c25d22eb9fb7527f5876be8533851.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114213.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114213.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un258325.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un258325.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2784 -ip 2784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1016
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 540 -ip 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1388
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk824130.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk824130.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114213.exe
| MD5 | 7803bdd16836deba95b19d1931a78ca7 |
| SHA1 | b5a0ba3e0926e2dcfc6776262f5d2a9e9313214a |
| SHA256 | 80564544c90280a8ef6ad39642a81257eb6a75655330a0d260593a2e17f40f01 |
| SHA512 | d1924203fe3c1e5a1cbd39f65000e78c6ebddddd37f02c410a24eec87630bf5f00d13155ff9746477a45063fe18b3eccae8f2d162a57410b60eaee111096e843 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un258325.exe
| MD5 | 3ca779c35003c16b4ab691890dca6d61 |
| SHA1 | bc183457339fd2052927f1f336f2ccf043f52dd6 |
| SHA256 | f217587900d3af2e141edae9bde4c1df547811446f491e2424868302d80b5757 |
| SHA512 | 98816cd2c4ab5f949b1b2c6392747fd6f1f2a5240b9976ff1e91bcc00f44affd704bf284a6cca7f659ba9b37f86f6a95f668fe720c8fbcf148d76f49c5e46408 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr952043.exe
| MD5 | e615cd8bbc0ac8e031e49ecb656008e0 |
| SHA1 | 56e98589150c707989e0985fdd4d1ad47d103ea7 |
| SHA256 | cd24f42074f520440103bacf3f34a478e55b6d3ce855b7837293a9ad2a012eca |
| SHA512 | 1f9383f8560cb0cd494a6850681d98fb932ddcffe9dbfbc5e623c851f37f87a5bf0b571ce3a64e58d8371a4afac027e03ac21e88c56bd6e53448da9f2bcff412 |
memory/2784-22-0x00000000025F0000-0x000000000260A000-memory.dmp
memory/2784-23-0x00000000050B0000-0x0000000005654000-memory.dmp
memory/2784-24-0x00000000028A0000-0x00000000028B8000-memory.dmp
memory/2784-38-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-52-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-50-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-48-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-46-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-44-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-42-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-40-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-36-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-35-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-30-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-28-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-26-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-25-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-32-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/2784-53-0x0000000000400000-0x0000000000809000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu983178.exe
| MD5 | fa8121872e070e51cce2427844f13e77 |
| SHA1 | 56e4f6baad970afd35e57d6f5c133f2fd7c80734 |
| SHA256 | 486e6ee1b0a3a8ca07d975ff884b835a16327396d9268271351bdc3ef272f9d7 |
| SHA512 | 8c346428e9890c3fd127fd4497addd6294b120be22d7ce97eb6923f87423cdf8f0d5e92f62c6ad9b9f035ef2db0ac3ee7f49fb600a136704a233e6d060eb93b4 |
memory/2784-55-0x0000000000400000-0x0000000000809000-memory.dmp
memory/540-60-0x00000000028B0000-0x0000000002918000-memory.dmp
memory/540-61-0x0000000004FA0000-0x0000000005006000-memory.dmp
memory/540-73-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-77-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-95-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-93-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-91-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-87-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-85-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-83-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-81-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-79-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-75-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-71-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-69-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-67-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-65-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-89-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-63-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-62-0x0000000004FA0000-0x0000000005000000-memory.dmp
memory/540-2204-0x0000000005750000-0x0000000005782000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/4740-2217-0x0000000000F40000-0x0000000000F6E000-memory.dmp
memory/4740-2218-0x0000000005710000-0x0000000005716000-memory.dmp
memory/4740-2219-0x0000000005E60000-0x0000000006478000-memory.dmp
memory/4740-2220-0x0000000005980000-0x0000000005A8A000-memory.dmp
memory/4740-2221-0x00000000058B0000-0x00000000058C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk824130.exe
| MD5 | c52ebada00a59ec1f651a0e9fbcef2eb |
| SHA1 | e1941278df76616f1ca3202ef2a9f99d2592d52f |
| SHA256 | 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e |
| SHA512 | 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2 |
memory/4740-2225-0x0000000005910000-0x000000000594C000-memory.dmp
memory/3604-2227-0x00000000009B0000-0x00000000009E0000-memory.dmp
memory/3604-2228-0x0000000002C80000-0x0000000002C86000-memory.dmp
memory/4740-2229-0x0000000005A90000-0x0000000005ADC000-memory.dmp