Analysis Overview
SHA256
443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb
Threat Level: Known bad
The file 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Healer
RedLine
Healer family
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:13
Reported
2024-11-09 19:16
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe
"C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe
| MD5 | 7552bbde8b3b393c764d9f8a5613b2d3 |
| SHA1 | 8f7a1fc74ee6ec8d44814c5f552ac009f541e8b8 |
| SHA256 | a4e7f79f58b63693402e81cac8cf86e7d675b87be38b2a99f89c7d3b7155730e |
| SHA512 | 759262448b499ece9f3819fa4d5096697ca2102d523776e8dc9e6c1c67f35a273a86111aba0c470f9d66c8d56300d2f7fd69166c7ed01acbeb1369558b9b3a18 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe
| MD5 | e0bfbd2dd58dc58e50dd5b84db144e68 |
| SHA1 | cb89406988b5d64853fb1d81ad87816065633515 |
| SHA256 | 9a5bdb013bca8525392c0b18a80064412aad9ae009ad1984c23e64f745a662ad |
| SHA512 | f1edaede3b6a28b1845b76c1ee5ec0f2fd63b6731b1b252c381c31795ea358d0f24f4e9662a8d5032986efce9a248b08440c50b3e9257606a27ecc5e8d0409bc |
memory/1428-15-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/1428-16-0x0000000002EA0000-0x0000000002ECD000-memory.dmp
memory/1428-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1428-18-0x00000000049C0000-0x00000000049DA000-memory.dmp
memory/1428-19-0x00000000072F0000-0x0000000007894000-memory.dmp
memory/1428-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp
memory/1428-24-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-48-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-46-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-44-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-42-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-40-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-38-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-36-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-28-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-21-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/1428-49-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/1428-50-0x0000000002EA0000-0x0000000002ECD000-memory.dmp
memory/1428-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1428-51-0x0000000000400000-0x0000000002B73000-memory.dmp
memory/1428-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe
| MD5 | d79592e215d83e404a236ccc61e987cd |
| SHA1 | 5e67bf7d6b8f99ae1f6fa8215437fa9538802f0e |
| SHA256 | a699c6c929b5e6156043d49ba19e77637b2961a13913b78e8409ca16d7930d1b |
| SHA512 | dacd0c2fc6d6d7fe36fcfdd31eb47b40c8bf36da05c413d8aae5e6929d4085ed6b06779281b81ee2bcbbebd0c21716e68a8580d34cafc7aee15e3df7a6c08f4b |
memory/1428-54-0x0000000000400000-0x0000000002B73000-memory.dmp
memory/4044-60-0x00000000070A0000-0x00000000070E6000-memory.dmp
memory/4044-61-0x0000000007720000-0x0000000007764000-memory.dmp
memory/4044-85-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-95-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-93-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-91-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-89-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-87-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-83-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-81-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-80-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-77-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-75-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-73-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-71-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-69-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-67-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-65-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-63-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-62-0x0000000007720000-0x000000000775F000-memory.dmp
memory/4044-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp
memory/4044-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp
memory/4044-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/4044-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/4044-972-0x0000000008150000-0x000000000819C000-memory.dmp