Analysis Overview
SHA256
9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07
Threat Level: Known bad
The file 9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
RedLine
Healer family
Modifies Windows Defender Real-time Protection settings
Redline family
Healer
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 10:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 10:27
Reported
2024-11-07 10:30
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe
"C:\Users\Admin\AppData\Local\Temp\9f55e5427572bbad1032d316367e745e19f1a26e02066ef62e734fd039ac4a07.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1632 -ip 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1384
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727472.exe
| MD5 | 67d8094a5bc5f167023c3837801018ca |
| SHA1 | cdb9f73b12eb07fb8adc887d1235423aae47b517 |
| SHA256 | 46da9f784191707d0d57eca4c9434892419f307a96fdb11404f1693b9df54015 |
| SHA512 | f0c0ee282ac732aaead93a69bc89925a80e3bb71700b172091a8fe07559a5d3a48ccc8646ef52fe2930456cd9e5a59e28caa4a1f9135cb11266ce943f3a70b7b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un793605.exe
| MD5 | 83d70d3b055dcd29775a5ef35fa5cac1 |
| SHA1 | d92a127472b525c62357132cf0f8586415e4083c |
| SHA256 | 3d3f5693c05b64c0cf84d3a53f0d1abd695561ae32da00c1a191f241c342f38e |
| SHA512 | 11c527cf011ed7ae44f79901067cf32db1153acfd270e0e97605b230aeb770dd82b44a9ec922269aaf4e6798b09c56f933d543a695f76a9fe8e3f3764543455a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr147208.exe
| MD5 | 230f00a433038fa8ebb5ff9fb6aacbd0 |
| SHA1 | 082dd42948f04dc3871f3ceee85909120e9e4af0 |
| SHA256 | afbfefcabaf3cf9500d8b02ffd41af1bba3e2924b7c2c07f7ae796d1fd0ed31f |
| SHA512 | 6880e2f3c63992ce438521f01ddd4acd4a85637a4ec1a310bbe21e23383da16befce72db228372ec231dd6e7be583834d86ea63974c878bc2f1861b90159ff12 |
memory/1632-22-0x0000000000770000-0x0000000000870000-memory.dmp
memory/1632-23-0x0000000002320000-0x000000000233A000-memory.dmp
memory/1632-24-0x0000000004F20000-0x00000000054C4000-memory.dmp
memory/1632-25-0x0000000002470000-0x0000000002488000-memory.dmp
memory/1632-53-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-51-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-49-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-47-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-45-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-43-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-41-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-39-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-37-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-35-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-33-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-31-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-29-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-27-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-26-0x0000000002470000-0x0000000002482000-memory.dmp
memory/1632-54-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/1632-55-0x0000000000770000-0x0000000000870000-memory.dmp
memory/1632-57-0x0000000000400000-0x00000000004BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu087676.exe
| MD5 | 7dd1e1c942cab756ba91dcdcc2c911c9 |
| SHA1 | 3da759ba0a52547ec0d77568bfbb654c8d644d98 |
| SHA256 | 677fd73bd8bcf1ba0d36f2fc9f4cb8ed73d72c16fa198517d91f7d888ddab7c9 |
| SHA512 | 2355f845e99d1fcbbb65423c28f3b5822d18fb648191f9564e8089931c285f0fbaa9318358eb32e1a03321b95528cf16dc0c7a59c597a7d371447f7af585b71b |
memory/3764-62-0x0000000002500000-0x0000000002568000-memory.dmp
memory/3764-63-0x0000000005220000-0x0000000005286000-memory.dmp
memory/3764-75-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-81-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-97-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-95-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-93-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-89-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-87-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-85-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-83-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-79-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-77-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-73-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-71-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-69-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-67-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-91-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-65-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-64-0x0000000005220000-0x0000000005280000-memory.dmp
memory/3764-2206-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/1992-2219-0x0000000000480000-0x00000000004AE000-memory.dmp
memory/1992-2220-0x0000000000DA0000-0x0000000000DA6000-memory.dmp
memory/1992-2221-0x0000000005450000-0x0000000005A68000-memory.dmp
memory/1992-2222-0x0000000004F40000-0x000000000504A000-memory.dmp
memory/1992-2223-0x0000000004DF0000-0x0000000004E02000-memory.dmp
memory/1992-2224-0x0000000004E30000-0x0000000004E6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk158262.exe
| MD5 | c35bc7be17b8f6887552b3a0e2762099 |
| SHA1 | dd96601614e96e769acf22848666670f74d1611b |
| SHA256 | d3d493e310196e0f3b0a74b6442ade87a9f59e97ac48f73efb0df5cfe1379bc5 |
| SHA512 | d3bb5bcbae95941598588df7aae68b000249bfc8a74a62a1d2d979bb2b70381fb4213b66b760157045c9409cb7ec052394be560db425efdda1ed37546c676835 |
memory/1992-2229-0x0000000004EA0000-0x0000000004EEC000-memory.dmp
memory/860-2230-0x00000000000A0000-0x00000000000D0000-memory.dmp
memory/860-2231-0x00000000048B0000-0x00000000048B6000-memory.dmp