Analysis Overview
SHA256
c9ddf5958bc7d3c91bac5d94b5622b6b105abd1d094a2fbaa5327de6a84edc98
Threat Level: Known bad
The file c9ddf5958bc7d3c91bac5d94b5622b6b105abd1d094a2fbaa5327de6a84edc98 was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 00:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 00:57
Reported
2024-11-07 01:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un545776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un546308.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk562342.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un546308.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c9ddf5958bc7d3c91bac5d94b5622b6b105abd1d094a2fbaa5327de6a84edc98.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un545776.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk562342.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c9ddf5958bc7d3c91bac5d94b5622b6b105abd1d094a2fbaa5327de6a84edc98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un545776.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un546308.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c9ddf5958bc7d3c91bac5d94b5622b6b105abd1d094a2fbaa5327de6a84edc98.exe
"C:\Users\Admin\AppData\Local\Temp\c9ddf5958bc7d3c91bac5d94b5622b6b105abd1d094a2fbaa5327de6a84edc98.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un545776.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un545776.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un546308.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un546308.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1372
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk562342.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk562342.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un545776.exe
| MD5 | 92dda13a685355f6211c53c1ecd9eb44 |
| SHA1 | 7183de018638dd377c3c61e958f314749807cfbc |
| SHA256 | 49fcd3f18353f30e6d22ad748e07802212fd222c9e92aaa6d30e9eb17d8992b5 |
| SHA512 | c7cd94e9d551f560d3488647ddc707b679b16f7da152ac921b8240a3bd32a995e12da0a9b6144d959405f0a248831d2456644548240b431aa66236cb98d0f526 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un546308.exe
| MD5 | 552149898a11a77b91aa888d906342da |
| SHA1 | 6a1abb2dbdac286471b7cdadcb1b59b74cac9f49 |
| SHA256 | df8db21f27cbd39579ba15b9d9788c15bc585fd04493a7a69101f74ea7c0d42f |
| SHA512 | 1828aaff7485defce1454a31e1a3726e6eaa8e43ecb250957c3fd9dcfff7820297a45bf1fb87265fb1ec88248c3b02c3989563d913cf85a5b6880456ea369c0f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822626.exe
| MD5 | 98beb6e0ebbb23774e77c2f902a163b3 |
| SHA1 | 446a83607668026a1034df0b365a480638ee92ef |
| SHA256 | edc19ab1fb928c1a030d32e2749ca9f85b71cb53e6eb4408c607e198f5e38b71 |
| SHA512 | 80b720b13d6e8346956543122404cf453ddfd772896b350cbeb71dd9bdd4d4a0e1277d48203383e60321050414e7d1f95bc8d615f9231975043382288e8d7084 |
memory/4140-22-0x0000000002780000-0x000000000279A000-memory.dmp
memory/4140-23-0x0000000004FA0000-0x0000000005544000-memory.dmp
memory/4140-24-0x0000000002950000-0x0000000002968000-memory.dmp
memory/4140-28-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-50-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-52-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-48-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-46-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-44-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-42-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-40-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-38-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-36-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-34-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-32-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-30-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-26-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-25-0x0000000002950000-0x0000000002962000-memory.dmp
memory/4140-53-0x0000000000400000-0x000000000080A000-memory.dmp
memory/4140-55-0x0000000000400000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu104044.exe
| MD5 | 76ce876e53c1891b826bb1333085051a |
| SHA1 | 84843704e88584ab10ad96f0f63db365b655ab42 |
| SHA256 | ce88a15ec3194e50ece47849c5cb71ca5756a7cb0edc5bf33a0c306150e098ba |
| SHA512 | 383493202d48007d329828335525a1fb0223c3e2d3a418f1c7b2ad694257065edeb801cdc21dafda1660d2c5886d884d942ab78318dccb27fe229c0a6fe59d1c |
memory/3644-60-0x0000000002830000-0x0000000002898000-memory.dmp
memory/3644-61-0x0000000002A30000-0x0000000002A96000-memory.dmp
memory/3644-75-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-73-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-71-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-69-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-67-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-65-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-77-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-91-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-63-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-82-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-62-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-95-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-93-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-89-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-87-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-85-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-84-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-79-0x0000000002A30000-0x0000000002A90000-memory.dmp
memory/3644-2204-0x0000000005760000-0x0000000005792000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/5784-2217-0x0000000000C30000-0x0000000000C5E000-memory.dmp
memory/5784-2218-0x0000000005450000-0x0000000005456000-memory.dmp
memory/5784-2219-0x0000000005BE0000-0x00000000061F8000-memory.dmp
memory/5784-2220-0x00000000056D0000-0x00000000057DA000-memory.dmp
memory/5784-2221-0x00000000055C0000-0x00000000055D2000-memory.dmp
memory/5784-2222-0x00000000055E0000-0x000000000561C000-memory.dmp
memory/5784-2223-0x0000000005660000-0x00000000056AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk562342.exe
| MD5 | c52ebada00a59ec1f651a0e9fbcef2eb |
| SHA1 | e1941278df76616f1ca3202ef2a9f99d2592d52f |
| SHA256 | 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e |
| SHA512 | 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2 |
memory/2488-2228-0x0000000000820000-0x0000000000850000-memory.dmp
memory/2488-2229-0x00000000028F0000-0x00000000028F6000-memory.dmp