Analysis Overview
SHA256
c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2
Threat Level: Known bad
The file c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine payload
Redline family
RedLine
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:56
Reported
2024-11-09 21:58
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe
"C:\Users\Admin\AppData\Local\Temp\c81962925360d19471628b6c693f713fb72b35861090bed8c8f286c6365ecdd2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3685.exe
| MD5 | 4b851bfa0a52d9721528472960bea39e |
| SHA1 | 86f2c3dd4bf39695c91dae0f1ead6825941c889c |
| SHA256 | 218d79c7a6d75888470584ab9b519ba57ba3f2c835b42c8cc7f3022015182c53 |
| SHA512 | 1bbfa990c9e327c82655d93207ca8ea84af58e49e145a50ea5960ef1d33fe4fdb7bedbbaa6e1f6e1f08616c4d96c26c97e69320d9e435fa83f967ab37032faac |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4306.exe
| MD5 | d3fd21661e5c780fd5a990ed573b0895 |
| SHA1 | 428468b5c11caa1ff442a21fbbd9ec3ca86e3e94 |
| SHA256 | 0ad922e6eb19cd59073d1eb61fb950ed32689a2ea4a582ac007e43022453a561 |
| SHA512 | 0dc79a759cfd731dd95c75ea529c76ee22729c9cecf533596012b682368fa9f47bab14b9e4591ecca92237a2e5cffe57ee78a1f48c1c632743726def77badc19 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4481.exe
| MD5 | 2c056cc3f964ee550f3581c39a7eb65b |
| SHA1 | 221655d8149a61dfdc34cbeba957018bcaa563e4 |
| SHA256 | cfad3c0ce756871d58998b347184c0609a7a58fea6dcd0451401034c6d8bfb20 |
| SHA512 | 653f3d9864da0a1a7983685cf81cd01cc0dbd9d7815a267f36b3f148c3748659cc01b383ab8cfe823d3198e927d0bc6e3d625525cb475045e9e483c5f1dbd6e5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4333.exe
| MD5 | 7c291b64056bf2aaacaeca34023ec2f4 |
| SHA1 | cb592c6614d7063d6876c175b9d1a3b0e7678cb5 |
| SHA256 | 44c8011e3392c890b1f30fa5382bd621a95d94cae28cccfa4cc6e8e062541951 |
| SHA512 | 1bb04549c56e2558eec71cac26c125044ed093ed427e5ece594d81d20d07e50f6b1ef408de05f064d4cd0c66090d67ce7da7338c06f85cb8d7c0848ccd8cdbf7 |
memory/4980-28-0x0000000000FE0000-0x0000000000FEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1021dN.exe
| MD5 | f40854be7e29461c8f4a47dd907d4180 |
| SHA1 | 31c8eb58e1921aa843e02d72f55e754349e7028b |
| SHA256 | 73afc9bf1423ee6f9b2912907558ee25607f09d5df467093a989b87d43ad27f8 |
| SHA512 | 41dba6c847b6bbcd0b3d933b39f0b5af205469dd02c0397e88bf2de3ffff3e9b51ce3d4cc67dc9551f026b3452ffa84a4a3cd675337ffdb78bc0c92b7c2404bd |
memory/868-34-0x00000000022B0000-0x00000000022CA000-memory.dmp
memory/868-35-0x0000000004C80000-0x0000000005224000-memory.dmp
memory/868-36-0x00000000023B0000-0x00000000023C8000-memory.dmp
memory/868-42-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-40-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-64-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-62-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-60-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-58-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-56-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-54-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-53-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-51-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-48-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-46-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-45-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-38-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-37-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/868-65-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/868-67-0x0000000000400000-0x00000000004B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w80FD10.exe
| MD5 | d47ff96c02eeea76620286a8bcbb64cf |
| SHA1 | 334addf5fe11776a6051e28b92f9c357c410f1e7 |
| SHA256 | 35feea349f02b293e5a8602ed7f8d9c2b77af26551797d079e989a1522af143a |
| SHA512 | 680c3cfa757874c5b0ef4318ceda1451e54374ed4d4423b5a0501d9f4e1febeff63628a90e29e698a0745593407092220882d8a1a3ff775460ac0393c2c4c9e3 |
memory/2708-72-0x00000000049F0000-0x0000000004A36000-memory.dmp
memory/2708-73-0x0000000004A90000-0x0000000004AD4000-memory.dmp
memory/2708-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-99-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-107-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-103-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-101-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-97-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-105-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/2708-980-0x00000000050F0000-0x0000000005708000-memory.dmp
memory/2708-981-0x0000000005790000-0x000000000589A000-memory.dmp
memory/2708-982-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/2708-983-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/2708-984-0x0000000005A40000-0x0000000005A8C000-memory.dmp