Analysis Overview
SHA256
69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883
Threat Level: Known bad
The file 69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883 was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe
"C:\Users\Admin\AppData\Local\Temp\69daf2790ceb24aee42cf84769711a86d6fdc8d154c02f270690cb78db16c883.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4054976.exe
| MD5 | 6d15e00817aa20f7bf8f3541e8433ef8 |
| SHA1 | 094621e968a28200b92530e529ed0465538a8898 |
| SHA256 | e45f45d2f0de02960286060a317b613de93644b28a39b6dce8542bc305db91db |
| SHA512 | 57c36eb8278f980b3e34a11d5379cf005bae1bae35039a3ec2bb6c0977ba5358868fd9766073e2a30ee05661d88fad0285682192123a030e2079c3209447f4a2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7002066.exe
| MD5 | 19a88f76160979bf1b4e0142c16e252f |
| SHA1 | c48d549ef2248795e2921790e209ff4d53354c5b |
| SHA256 | 6ffc768ddae33b68433997d71f8e32804942e3a2d4f19bebe3553b0c9ce08b00 |
| SHA512 | 36fd1564b93f0dc73809ac5e4963766986932394fed9e0c33d8216132c8947ea560042ac21ff452298e5147b0b2513f1cbac6e7db1fe243d07f1e131c027a757 |
memory/652-14-0x000000007494E000-0x000000007494F000-memory.dmp
memory/652-15-0x00000000049F0000-0x0000000004A0A000-memory.dmp
memory/652-16-0x0000000074940000-0x00000000750F0000-memory.dmp
memory/652-17-0x0000000004A90000-0x0000000005034000-memory.dmp
memory/652-18-0x0000000005080000-0x0000000005098000-memory.dmp
memory/652-34-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-46-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-45-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-42-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-40-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-38-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-36-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-24-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-22-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-47-0x0000000074940000-0x00000000750F0000-memory.dmp
memory/652-48-0x0000000074940000-0x00000000750F0000-memory.dmp
memory/652-20-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-19-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-32-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-30-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-28-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-26-0x0000000005080000-0x0000000005092000-memory.dmp
memory/652-49-0x000000007494E000-0x000000007494F000-memory.dmp
memory/652-50-0x0000000074940000-0x00000000750F0000-memory.dmp
memory/652-52-0x0000000074940000-0x00000000750F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8054180.exe
| MD5 | 552d1669d62cbb55067b5cd95e6f8180 |
| SHA1 | 10459cfb70045704f86f107e4e90a160a4276733 |
| SHA256 | ea495e75d19e92b6402f6555707710badc2ca3e4d8dfb73ef15b8d12cd23db4b |
| SHA512 | 492bac6745f3341e00f10cb63edd1bec548c12739de3988ef08fffd78ac3c9b71a0f4d7c339d926dc13e35b191b6f16eb7684b30a02b1d9c7605b2b037790e6d |
memory/1512-56-0x0000000000090000-0x00000000000BE000-memory.dmp
memory/1512-57-0x0000000000910000-0x0000000000916000-memory.dmp
memory/1512-58-0x0000000005030000-0x0000000005648000-memory.dmp
memory/1512-59-0x0000000004B20000-0x0000000004C2A000-memory.dmp
memory/1512-60-0x0000000004A10000-0x0000000004A22000-memory.dmp
memory/1512-61-0x0000000004A70000-0x0000000004AAC000-memory.dmp
memory/1512-62-0x0000000004AC0000-0x0000000004B0C000-memory.dmp