Analysis Overview
SHA256
61e28a9fcd1dc4a6978dfc30a2c075c23716fb61969cda4ba845e19533e0741a
Threat Level: Known bad
The file 61e28a9fcd1dc4a6978dfc30a2c075c23716fb61969cda4ba845e19533e0741a was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
Detects Healer an antivirus disabler dropper
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 09:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 09:14
Reported
2024-11-08 09:17
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165536.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un373071.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk208572.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165536.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un373071.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\61e28a9fcd1dc4a6978dfc30a2c075c23716fb61969cda4ba845e19533e0741a.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un373071.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk208572.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61e28a9fcd1dc4a6978dfc30a2c075c23716fb61969cda4ba845e19533e0741a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165536.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61e28a9fcd1dc4a6978dfc30a2c075c23716fb61969cda4ba845e19533e0741a.exe
"C:\Users\Admin\AppData\Local\Temp\61e28a9fcd1dc4a6978dfc30a2c075c23716fb61969cda4ba845e19533e0741a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165536.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165536.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un373071.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un373071.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1612 -ip 1612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1044
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1380
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk208572.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk208572.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165536.exe
| MD5 | 9391f38af1104effc335730feeadda0f |
| SHA1 | 4695b02a774213d25b0a6a5be8d64219a47f0f37 |
| SHA256 | ea0a253f27d7e2d745f47a7e2129bba837e4795ff045aa929a9547e1f8c901cd |
| SHA512 | 3c265c40379838fc6a0ff19cb4cf89463981f315456de9d6c66cb30375451b8aed5a00dfb0591d175b33ddf56c751de6ad8850e83105cf11ea87b47b49f3c775 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un373071.exe
| MD5 | 69059b328c62b0af0be9642016924e58 |
| SHA1 | 59a6be5c53af0d4a711312938f753353a3929ebb |
| SHA256 | a28431fd12845cf6d4dca2ddc9c631cdb726bf5af15dbc69d19b6ee42614bb64 |
| SHA512 | 9503fd525c8441c32c4f89e6dc2796610b2497e83dfb72d3c1da57df0582c22b26f6f5e121d42581a729d6dd700531cda029e8ea9a9eace7077fb12c553ec4b8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr916448.exe
| MD5 | 4901fc291961ddbb461572e635b16095 |
| SHA1 | fc68791be43ca0a643d857ab91cc6093dc7ce1b8 |
| SHA256 | 091404d891b393a3addde4b486dbbf8f24bf19552673d408a21d8e09737e42eb |
| SHA512 | 6ee23edc39a9446bc100af831d076cd684bea9f4d96594dbe2d7ba1ffc283eed2e957ee77a68bbd9e86bdd861b1f9677e30136c402765340c5d974fe99bd7bd9 |
memory/1612-22-0x0000000002640000-0x000000000265A000-memory.dmp
memory/1612-23-0x0000000005040000-0x00000000055E4000-memory.dmp
memory/1612-24-0x0000000002930000-0x0000000002948000-memory.dmp
memory/1612-52-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-50-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-49-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-46-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-44-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-42-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-40-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-39-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-36-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-34-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-33-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-30-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-28-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-26-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-25-0x0000000002930000-0x0000000002942000-memory.dmp
memory/1612-53-0x0000000000400000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu446647.exe
| MD5 | 8c4010505c8b83694e0e11c784d91299 |
| SHA1 | 05ddb1dd9fd062c6ab508bc18a4ca161b0b11d5b |
| SHA256 | 1b011d57d82bbd074c49dd1df0cea05ff204cb978286afb2505cb775090ffadc |
| SHA512 | 72d2518614f1715eb6aa053ac0cc09bfdb137fbd9efde327754759102b45c90010452412337a75c8ef7dd71be4cafa65cb8552426ace99f7e161bad11670c611 |
memory/1612-55-0x0000000000400000-0x000000000080A000-memory.dmp
memory/2756-60-0x0000000002770000-0x00000000027D8000-memory.dmp
memory/2756-61-0x00000000028F0000-0x0000000002956000-memory.dmp
memory/2756-77-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-79-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-95-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-93-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-91-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-89-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-87-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-85-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-83-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-81-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-75-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-73-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-71-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-69-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-67-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-65-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-63-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-62-0x00000000028F0000-0x0000000002950000-memory.dmp
memory/2756-2204-0x00000000050B0000-0x00000000050E2000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/5436-2217-0x0000000000AE0000-0x0000000000B0E000-memory.dmp
memory/5436-2218-0x0000000001220000-0x0000000001226000-memory.dmp
memory/5436-2219-0x0000000005A10000-0x0000000006028000-memory.dmp
memory/5436-2220-0x0000000005530000-0x000000000563A000-memory.dmp
memory/5436-2221-0x0000000005460000-0x0000000005472000-memory.dmp
memory/5436-2222-0x00000000054C0000-0x00000000054FC000-memory.dmp
memory/5436-2223-0x0000000005640000-0x000000000568C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk208572.exe
| MD5 | c52ebada00a59ec1f651a0e9fbcef2eb |
| SHA1 | e1941278df76616f1ca3202ef2a9f99d2592d52f |
| SHA256 | 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e |
| SHA512 | 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2 |
memory/2776-2228-0x0000000000DE0000-0x0000000000E10000-memory.dmp
memory/2776-2229-0x0000000002E40000-0x0000000002E46000-memory.dmp