Analysis Overview
SHA256
aefdf1cb367100f8aaee86bd6eee5c29a19471f88434c51fefb9fe1c68f71b62
Threat Level: Known bad
The file aefdf1cb367100f8aaee86bd6eee5c29a19471f88434c51fefb9fe1c68f71b62 was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
Redline family
RedLine payload
Detects Healer an antivirus disabler dropper
RedLine
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 01:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 01:08
Reported
2024-11-07 01:11
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe
"C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe
| MD5 | 0c48443198836bed2d412b49a852bdbb |
| SHA1 | fdd139aa10efa700a2f18a022dc995e9e9697d4b |
| SHA256 | 2c0c8195814f4dd6268dcb8a28971851215c6833fd5ee6c9ebea5fa227e6ca16 |
| SHA512 | 56d36b3ef3373ed1897d87a1aad1bc7ab53b8fd9ec4578c1c0d1ab37ebcd0aa268b81576d9cf559900202a56e015d6dd95da8077444f452907fe5d6e89d02254 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe
| MD5 | c919d05886ac6143a025c58301012f61 |
| SHA1 | 06ab29ef3daff24c45ecc6ad61e6bc0ad76a36d5 |
| SHA256 | 50922d00630558b9197fc7c1ae98742250e805ba7b27199d64ccf4a342572102 |
| SHA512 | c96b23ae67294e9be6e12e1622a815d7ab672958b369991749677b48f22fd266053653802c191128ebd9b11ad044a8b649fc1ea67f1d376f9788f05c7b1865ab |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe
| MD5 | 8fcbc09ad7098522547609f48c66831b |
| SHA1 | d93a1cb789b0ef4cd14e0fa2211deef814483614 |
| SHA256 | d49245074ab6612a095780fea461963d7b0030c21300b808568ac92a139bc81e |
| SHA512 | f54898d517b511c67c13dc1a5849e0d5f98e5de99ee7ca3c911d9381710cb5bcb9cab8ea038dff9bf06256bf779947517855e7b078a8fbeda4ab6284e7f17a11 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe
| MD5 | 4759c87cb8aae3b368ce489ed3888406 |
| SHA1 | 428b9a715af61d129a9a86145884f344a557f1aa |
| SHA256 | 48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62 |
| SHA512 | e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04 |
memory/2344-28-0x0000000000350000-0x000000000035A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe
| MD5 | 89043a2a2ea21c3bd2a007ecd51c585f |
| SHA1 | 8a69615923db088e06a0ea0e6b9c0c910275573d |
| SHA256 | f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf |
| SHA512 | 206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd |
memory/5040-34-0x0000000007170000-0x00000000071B6000-memory.dmp
memory/5040-35-0x0000000007240000-0x00000000077E4000-memory.dmp
memory/5040-36-0x00000000071F0000-0x0000000007234000-memory.dmp
memory/5040-42-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-50-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-100-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-96-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-94-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-92-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-90-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-88-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-86-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-84-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-82-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-80-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-78-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-74-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-72-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-70-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-68-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-66-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-64-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-62-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-60-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-56-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-54-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-52-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-48-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-46-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-44-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-98-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-76-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-58-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-40-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-38-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-37-0x00000000071F0000-0x000000000722F000-memory.dmp
memory/5040-943-0x0000000007930000-0x0000000007F48000-memory.dmp
memory/5040-944-0x0000000007FD0000-0x00000000080DA000-memory.dmp
memory/5040-945-0x0000000008110000-0x0000000008122000-memory.dmp
memory/5040-946-0x0000000008130000-0x000000000816C000-memory.dmp
memory/5040-947-0x0000000008280000-0x00000000082CC000-memory.dmp