Analysis Overview
SHA256
106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a
Threat Level: Known bad
The file 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Healer family
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:55
Reported
2024-11-09 03:57
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe
"C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe
| MD5 | 22c93af7dc94c8928cdddbd84b205391 |
| SHA1 | b08c303cea77885baa16458c591dec12f637bbb3 |
| SHA256 | ea213a31e1ad1addec54b34c179db45ff66ce7a7362ad7096722ec14f16645df |
| SHA512 | 2efd603131e1c18e63c5014069b1be188f8d4f76c1f4d191d5e5aecb4875a39fefaf774de68958469c897ba4ffa5d1e55e36d77520abf893ce50c46a13d5be4e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe
| MD5 | f78f972daad203de1a2120cd43fa3362 |
| SHA1 | c2c2a6a0404e414768c13860c9e24075deef8dfe |
| SHA256 | 18f3783b820beb723fc16c1dcd224c5e5e283a94376a8eda6a37cad8009cec9c |
| SHA512 | 8f74dcd5d6afbcf42e2bb4aa93ef3a2a39bb7f437afdbb7f7a49ee87a1461805339261ad3b4701062f0e8f5cdd7890255c8f2f09f95ddf614a706d596f3d155e |
memory/1156-15-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/1156-16-0x0000000002CB0000-0x0000000002CDD000-memory.dmp
memory/1156-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1156-18-0x0000000007210000-0x000000000722A000-memory.dmp
memory/1156-19-0x00000000073B0000-0x0000000007954000-memory.dmp
memory/1156-20-0x0000000007270000-0x0000000007288000-memory.dmp
memory/1156-21-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-40-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-48-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-46-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-44-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-43-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-38-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-36-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-34-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-33-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-30-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-28-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-26-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-24-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-22-0x0000000007270000-0x0000000007283000-memory.dmp
memory/1156-49-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/1156-50-0x0000000002CB0000-0x0000000002CDD000-memory.dmp
memory/1156-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1156-51-0x0000000000400000-0x0000000002B9B000-memory.dmp
memory/1156-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe
| MD5 | d039136e4ab774f02c63fc0a2874ea01 |
| SHA1 | 1b3a1dea9c305fdb01e1e1f993d51d0fea83e453 |
| SHA256 | 846cdea9a4cbaf17c1ec38b4b7e9cb60bd616c1e345622d9fffdba46900fd3f2 |
| SHA512 | 80b4ef4b07dd8034ce83a6f923d696007effee201d88e76af99d61866c5e1bfa2d368bf2be0f57127d048b786c0396bb0ba98db50155f9275133da2e29da4dd8 |
memory/1156-54-0x0000000000400000-0x0000000002B9B000-memory.dmp
memory/876-60-0x0000000004BF0000-0x0000000004C2C000-memory.dmp
memory/876-61-0x0000000007790000-0x00000000077CA000-memory.dmp
memory/876-69-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-63-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-96-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-93-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-91-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-90-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-87-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-85-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-84-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-81-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-79-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-77-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-75-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-73-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-71-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-67-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-65-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-62-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/876-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp
memory/876-855-0x000000000A330000-0x000000000A342000-memory.dmp
memory/876-856-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/876-857-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/876-858-0x0000000004AB0000-0x0000000004AFC000-memory.dmp