Analysis Overview
SHA256
8b035a1e7ee98a3670a44591ba8d30d49bf73274321ebc2b51676499349c6b44
Threat Level: Known bad
The file 8b035a1e7ee98a3670a44591ba8d30d49bf73274321ebc2b51676499349c6b44 was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
RedLine payload
Redline family
Detects Healer an antivirus disabler dropper
RedLine
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:49
Reported
2024-11-10 00:52
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un771783.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk665501.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8b035a1e7ee98a3670a44591ba8d30d49bf73274321ebc2b51676499349c6b44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un771783.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un771783.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk665501.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b035a1e7ee98a3670a44591ba8d30d49bf73274321ebc2b51676499349c6b44.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk665501.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b035a1e7ee98a3670a44591ba8d30d49bf73274321ebc2b51676499349c6b44.exe
"C:\Users\Admin\AppData\Local\Temp\8b035a1e7ee98a3670a44591ba8d30d49bf73274321ebc2b51676499349c6b44.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un771783.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un771783.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2836 -ip 2836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1092
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk665501.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk665501.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un771783.exe
| MD5 | 9fd582872b21db51a808edf3a9407e50 |
| SHA1 | 87658bf5dbce3903fb5e8191c23d96276450d6a6 |
| SHA256 | 3366e08d619e07b23c340049abc46daa44ea53232f08774bd00b5be6da8901dc |
| SHA512 | fae9c7b16c183ed7042de40af16880565ba8fa1e057e977e15a460c04d689f4700042d5f9064856b9e459df6ae06900563ca25b0fe5f409cc24d30e51c20a1ca |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\74764761.exe
| MD5 | 59ae2313425ea294c6be8ba8d5bf32e9 |
| SHA1 | 0d3d25dfd16aba31404a2efe5397907fee75b7f1 |
| SHA256 | 0db6a1c879f0863f86bc45bdfd1ced2d70e4e898c786a1a817216af9a736f4b6 |
| SHA512 | bc251ed6a361597b94715c6db5be365757145e6bb48e8f1348d465806e61bc89867cbc4276c3eb3c2c62ddb289fea7fbca33a9e7df121b756078d5b7f2602808 |
memory/2836-15-0x0000000002D90000-0x0000000002E90000-memory.dmp
memory/2836-16-0x0000000002D40000-0x0000000002D6D000-memory.dmp
memory/2836-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2836-18-0x0000000004A40000-0x0000000004A5A000-memory.dmp
memory/2836-19-0x0000000007150000-0x00000000076F4000-memory.dmp
memory/2836-20-0x0000000007700000-0x0000000007718000-memory.dmp
memory/2836-21-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-28-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-48-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-46-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-44-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-42-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-40-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-38-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-36-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-34-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-32-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-30-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-26-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-24-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-22-0x0000000007700000-0x0000000007713000-memory.dmp
memory/2836-49-0x0000000002D90000-0x0000000002E90000-memory.dmp
memory/2836-51-0x0000000002D40000-0x0000000002D6D000-memory.dmp
memory/2836-50-0x0000000000400000-0x0000000002B99000-memory.dmp
memory/2836-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2836-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk665501.exe
| MD5 | 5b8cfae2a0df6b0cd6e5d76e719c75d4 |
| SHA1 | 6b963fe07998da2be67816741d15997b96b0cdb9 |
| SHA256 | 06b82fef735ee7c8f35bfb5a0af65216545553ac55ea869c764f58bf40996c84 |
| SHA512 | 50cca39583e5e25fa6415108456ee0e45e6bb6dafa6510f324c3efc359a7d636b112d14603d136f049dcfa2936480e66fb850d761e80e2b5201f58979b029b38 |
memory/2836-54-0x0000000000400000-0x0000000002B99000-memory.dmp
memory/3156-60-0x0000000004CA0000-0x0000000004CDC000-memory.dmp
memory/3156-61-0x0000000007180000-0x00000000071BA000-memory.dmp
memory/3156-65-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-73-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-96-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-93-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-91-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-89-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-87-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-85-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-83-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-81-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-79-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-77-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-75-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-71-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-69-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-67-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-63-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-62-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/3156-854-0x0000000009CC0000-0x000000000A2D8000-memory.dmp
memory/3156-855-0x000000000A330000-0x000000000A342000-memory.dmp
memory/3156-856-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/3156-857-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/3156-858-0x0000000004C10000-0x0000000004C5C000-memory.dmp