Analysis Overview
SHA256
8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0
Threat Level: Known bad
The file 8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0 was found to be: Known bad.
Malicious Activity Summary
Healer
Detects Healer an antivirus disabler dropper
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Healer family
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:02
Reported
2024-11-09 05:04
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe
"C:\Users\Admin\AppData\Local\Temp\8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe
| MD5 | eb21177946b94342eccf490b098fefb5 |
| SHA1 | 3ffd523d940a3a5c0760a43a5acfd4e88ac6fd31 |
| SHA256 | 7cffb20c6eabb9ce0dbf2ebe05b6c3381e15ea33057f485363fb722127efb9d2 |
| SHA512 | ca204b4452ca60535529d24508b5d727ccb5a877e67db90075fa47a52baa4baddc83f0135ec7e83abf7c73c00fa0a1319393470d3fbe0ce9aef5b42f0393fa75 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe
| MD5 | 80b20d8b075c0e86417f1a2b1cb0f82f |
| SHA1 | b6fb441963c757a9125d4586b6f2d07b1733fc73 |
| SHA256 | 01e1bc0c83578752d78e083bbaf8421cc4381af3304e7b8b7823420e630a89f1 |
| SHA512 | 8818687efe14def04961db3ad83a5d0855f3c5727a0592cfa9e931c0f3d6477d70adb4a46ec526b7c4b530b91adec3b41505dc001449b33d765cc46b8a862ea1 |
memory/2952-14-0x0000000073F1E000-0x0000000073F1F000-memory.dmp
memory/2952-15-0x00000000022A0000-0x00000000022BA000-memory.dmp
memory/2952-16-0x0000000073F10000-0x00000000746C0000-memory.dmp
memory/2952-18-0x0000000073F10000-0x00000000746C0000-memory.dmp
memory/2952-19-0x0000000004980000-0x0000000004998000-memory.dmp
memory/2952-17-0x0000000004AD0000-0x0000000005074000-memory.dmp
memory/2952-47-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-45-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-43-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-41-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-39-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-37-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-35-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-33-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-31-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-29-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-27-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-25-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-23-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-21-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-20-0x0000000004980000-0x0000000004992000-memory.dmp
memory/2952-48-0x0000000073F10000-0x00000000746C0000-memory.dmp
memory/2952-49-0x0000000073F1E000-0x0000000073F1F000-memory.dmp
memory/2952-50-0x0000000073F10000-0x00000000746C0000-memory.dmp
memory/2952-52-0x0000000073F10000-0x00000000746C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exe
| MD5 | 98410df571da7e6f92433c1fe522296a |
| SHA1 | 15caca180a5c72bde8d7f919fdde68fcb0788136 |
| SHA256 | 76927b0dfc1ebfa2890ae6f6b5070f03d6e8a1d04d44ebe112ccb2595967881e |
| SHA512 | 2f191f4b2742a621aa66a2b6eaf77e00129863b66a943c019b3c48b8b5c7dcffb80469505c5c5cc5336f60f83e7f8c401e47c72aa4fa89593d469f380445dca0 |
memory/3076-56-0x0000000000D50000-0x0000000000D7E000-memory.dmp
memory/3076-57-0x0000000005570000-0x0000000005576000-memory.dmp
memory/3076-58-0x0000000005D50000-0x0000000006368000-memory.dmp
memory/3076-59-0x0000000005840000-0x000000000594A000-memory.dmp
memory/3076-60-0x00000000055C0000-0x00000000055D2000-memory.dmp
memory/3076-61-0x0000000005730000-0x000000000576C000-memory.dmp
memory/3076-62-0x0000000005780000-0x00000000057CC000-memory.dmp