Analysis Overview
SHA256
59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b
Threat Level: Known bad
The file 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine
Redline family
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:09
Reported
2024-11-09 05:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe
"C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2540 -ip 2540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe
| MD5 | 0b6757967148f63d4646e3a9962fdba1 |
| SHA1 | 1d0f9a80dd5e993b2137ed1ec4d1d6341e620568 |
| SHA256 | 569347686f1b4bfa455c32796f0d2316f046ec6304d4d16cb60d3eb5398b5b62 |
| SHA512 | 0cc45c188edde411652b0b735f5356cef1b79af77fc1d45f26f25e065957de9078eec6acf7165a23d4d71b218bedf7f729d5b92dbfde184e4a8cc707d24f1b38 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe
| MD5 | 5a6c217d8e38307a56e57cdf154abc7c |
| SHA1 | ede9eef581013d7050befce767ebd7b9cbcfd3d2 |
| SHA256 | 7b75883394b37d6d42f9a1fd0ec3d8516e48441935ea51b128a7f6da9c0f8f7f |
| SHA512 | 4ea36a456e2cb0e12ef560f483920b536adf07021e34ae7e67af1941ca766e7482dd768dfbc480b1dd7bdcf65c7614297700330705a403d17ece0d5ce93b8759 |
memory/2540-16-0x0000000002CE0000-0x0000000002D0D000-memory.dmp
memory/2540-15-0x0000000002D50000-0x0000000002E50000-memory.dmp
memory/2540-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2540-18-0x0000000004A40000-0x0000000004A5A000-memory.dmp
memory/2540-19-0x0000000007150000-0x00000000076F4000-memory.dmp
memory/2540-20-0x0000000007110000-0x0000000007128000-memory.dmp
memory/2540-23-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-48-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-46-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-44-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-42-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-40-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-38-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-36-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-34-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-32-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-30-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-28-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-26-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-24-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-21-0x0000000007110000-0x0000000007122000-memory.dmp
memory/2540-49-0x0000000002D50000-0x0000000002E50000-memory.dmp
memory/2540-50-0x0000000002CE0000-0x0000000002D0D000-memory.dmp
memory/2540-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2540-51-0x0000000000400000-0x0000000002B75000-memory.dmp
memory/2540-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe
| MD5 | 812153ffaf3811afdc07d1e5811043e6 |
| SHA1 | 7ee9e034ce8bb5cd3cf1bbf084365f210c13b0b0 |
| SHA256 | 935a1a653308fe7c376f305eda28b5c62ef9aa8ffa4863a6c90bfb29ba05d0c0 |
| SHA512 | 66d8788d45826a3bd173f5bc4b30e02d640ad4226ed5978988027b551c7a3657ce0f5244cf2eac8806ac4259fa0e9942f61f445ef2a7de959a17dc7ee9a3efe6 |
memory/2540-54-0x0000000000400000-0x0000000002B75000-memory.dmp
memory/4464-60-0x0000000004B50000-0x0000000004B96000-memory.dmp
memory/4464-61-0x0000000007740000-0x0000000007784000-memory.dmp
memory/4464-93-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-95-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-91-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-89-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-87-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-85-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-83-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-81-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-77-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-75-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-73-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-71-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-69-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-67-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-65-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-63-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-79-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-62-0x0000000007740000-0x000000000777F000-memory.dmp
memory/4464-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp
memory/4464-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp
memory/4464-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/4464-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/4464-972-0x0000000008110000-0x000000000815C000-memory.dmp