Analysis Overview
SHA256
f07f9b8cf5f8db705f12e7147b363a6017b38e67908c92c23049c0da3aa70b92
Threat Level: Known bad
The file f07f9b8cf5f8db705f12e7147b363a6017b38e67908c92c23049c0da3aa70b92 was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
RedLine payload
Amadey
RedLine
Amadey family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:01
Reported
2024-11-08 12:04
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si273820.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429529.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si273820.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f07f9b8cf5f8db705f12e7147b363a6017b38e67908c92c23049c0da3aa70b92.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429529.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f07f9b8cf5f8db705f12e7147b363a6017b38e67908c92c23049c0da3aa70b92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429529.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si273820.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f07f9b8cf5f8db705f12e7147b363a6017b38e67908c92c23049c0da3aa70b92.exe
"C:\Users\Admin\AppData\Local\Temp\f07f9b8cf5f8db705f12e7147b363a6017b38e67908c92c23049c0da3aa70b92.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429529.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429529.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1552
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si273820.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si273820.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 193.201.9.43:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429529.exe
| MD5 | e069fb1adf4f468877d9deb2ba04f05f |
| SHA1 | 4bad8b4f35c590582cafc4f5ea347d9a4d29699a |
| SHA256 | 9596df42fc12c270453cbd5fb68eb7dbac2dab59ec07d9aa1a9be19cca71336b |
| SHA512 | e966c0e0e4713d54a075fd2a8e94bca9a39249855f1b98ff61f98b100475e80149e50ce24c4cbbc4bff7ba41a35d0641f2b1f50f74164b4ff33cc69aca1a2a67 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr703063.exe
| MD5 | 1c06ab0f1e2a90c8c0d9b52c208c3eef |
| SHA1 | bba8c94a1e24bd2d2f543b147ae6ae0a7c1e0e35 |
| SHA256 | e9e10990f8bff5e58bccb1000fefd07cab4172befa125894625baa26a6b3d55e |
| SHA512 | 3bb25fe6e18f18b4a88673fdcfce9b497bcc74e035fe96d6c703a68a88eb09554bb218cfc71b7eabc3d891d4a15286a3e0f8335da0b36ced655128375716983d |
memory/4800-15-0x0000000000680000-0x0000000000780000-memory.dmp
memory/4800-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4800-16-0x00000000005A0000-0x00000000005CD000-memory.dmp
memory/4800-18-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/4800-19-0x00000000020F0000-0x000000000210A000-memory.dmp
memory/4800-20-0x0000000004D60000-0x0000000005304000-memory.dmp
memory/4800-21-0x0000000004B80000-0x0000000004B98000-memory.dmp
memory/4800-39-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-49-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-47-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-45-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-43-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-41-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-37-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-35-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-33-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-31-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-29-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-27-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-23-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-22-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-25-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4800-50-0x0000000000680000-0x0000000000780000-memory.dmp
memory/4800-51-0x00000000005A0000-0x00000000005CD000-memory.dmp
memory/4800-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4800-55-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/4800-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu798103.exe
| MD5 | ef91c7ed676f21d1f98de59436d2f695 |
| SHA1 | f6bdf5a7dd7277aa5d9cda0ffbcd9cb54def3bb9 |
| SHA256 | e1fa0c048a1569aba494f83b7f639040e0e965b6f49a14bc5bd57568c4f2ecf7 |
| SHA512 | 6a33dde9374990474a69d6e6677ad43dd4353f9a9c363034ace2d6c7eff6cafe240e3be289404441de3e5ed393aead293097880af618c5d03df177513b616f57 |
memory/4204-61-0x0000000004D00000-0x0000000004D68000-memory.dmp
memory/4204-62-0x0000000005320000-0x0000000005386000-memory.dmp
memory/4204-74-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-76-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-94-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-92-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-90-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-88-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-86-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-84-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-80-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-78-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-72-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-70-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-68-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-66-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-64-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-96-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-82-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-63-0x0000000005320000-0x0000000005380000-memory.dmp
memory/4204-2205-0x0000000005540000-0x0000000005572000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/4012-2218-0x0000000000A60000-0x0000000000A8E000-memory.dmp
memory/4012-2219-0x0000000001470000-0x0000000001476000-memory.dmp
memory/4012-2220-0x00000000059E0000-0x0000000005FF8000-memory.dmp
memory/4012-2221-0x00000000054D0000-0x00000000055DA000-memory.dmp
memory/4012-2222-0x00000000053E0000-0x00000000053F2000-memory.dmp
memory/4012-2223-0x0000000005440000-0x000000000547C000-memory.dmp
memory/4012-2225-0x00000000055E0000-0x000000000562C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si273820.exe
| MD5 | ee1f5f0e1168ce5938997c932b4dcd27 |
| SHA1 | b8c0928da3a41d579c19f44b9e1fef6014d06452 |
| SHA256 | dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed |
| SHA512 | bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8 |