Analysis Overview
SHA256
68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40
Threat Level: Known bad
The file 68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40 was found to be: Known bad.
Malicious Activity Summary
Healer family
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer
Redline family
RedLine payload
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:50
Reported
2024-11-09 03:52
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe
"C:\Users\Admin\AppData\Local\Temp\68d6e09074432c636b1b232a461bfa46cd9517c27730339d4ed26db71e61aa40.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2512802.exe
| MD5 | 4616799384611d870660ae307618af3d |
| SHA1 | 70933f3a3dc729ceed950732395ad442c5889872 |
| SHA256 | a13f44521298d74845c100c608f8c758f78ecb3e24c894dd6b3dbcf47863738a |
| SHA512 | 250d03ec005945aa8abc163ef4991242347d671e85b09e0ee9f028a97d7a478cf5e1a10328a68ba2381c1de35f1955c0ebc5c59f21c079ba46647a3b421e5416 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3815205.exe
| MD5 | 5501c8236751d6dbb79015eec53014f1 |
| SHA1 | b78369d090480ec0c5b740ff2f3d2cef28fede79 |
| SHA256 | 3576618dd4cec5f29550ccc72fe1b389f66ba2049a174d24dd3a9ea6611180c0 |
| SHA512 | c47906c9b043eccb45726766637ed6beb4239d715afad372653a23ed474cb3acd3fba8190853433c613afeefcbd10b15046ead00c498d9a99012fc50b15ceb61 |
memory/2072-14-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/2072-15-0x00000000023B0000-0x00000000023CA000-memory.dmp
memory/2072-16-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/2072-17-0x0000000004940000-0x0000000004EE4000-memory.dmp
memory/2072-18-0x0000000004F40000-0x0000000004F58000-memory.dmp
memory/2072-46-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-47-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/2072-44-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-42-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-40-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-38-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-36-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-34-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-32-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-30-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-28-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-26-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-24-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-22-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-20-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-19-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/2072-48-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/2072-49-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/2072-51-0x00000000743E0000-0x0000000074B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1279850.exe
| MD5 | 293f4c85befccf4b39645633d059ec65 |
| SHA1 | 976b3196078f22e6ab104d1bccd5017d5e7858b3 |
| SHA256 | 8b3ae63c4a67ac3d2f1c15a065579afa6db5740528aa16d21880f5b2479194af |
| SHA512 | e18c5159da188e8fa1e6a6269cf9841e8d9185d339ec3f0dcbf3e764edeadb2e4945c30640aa054aeb38a81785681b7438f6438404862f737adf5822004c2dd9 |
memory/3772-56-0x0000000001100000-0x0000000001106000-memory.dmp
memory/3772-55-0x00000000009F0000-0x0000000000A20000-memory.dmp
memory/3772-57-0x00000000059E0000-0x0000000005FF8000-memory.dmp
memory/3772-58-0x00000000054D0000-0x00000000055DA000-memory.dmp
memory/3772-59-0x0000000005360000-0x0000000005372000-memory.dmp
memory/3772-60-0x0000000005400000-0x000000000543C000-memory.dmp
memory/3772-61-0x0000000005440000-0x000000000548C000-memory.dmp