Analysis Overview
SHA256
a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea
Threat Level: Known bad
The file a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Healer
Redline family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:55
Reported
2024-11-10 00:58
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe
"C:\Users\Admin\AppData\Local\Temp\a64f130f8ca8dd338e3ca605dd002c70ceb9316c73e73918477f88886ebfdbea.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1004
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| CY | 217.196.96.56:4138 | tcp | |
| CY | 217.196.96.56:4138 | tcp | |
| CY | 217.196.96.56:4138 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0980975.exe
| MD5 | 9a6ad5d68cc1f5628320668f751448d3 |
| SHA1 | 8980cbd9e792d8008d8790bf1183f31cc2f68059 |
| SHA256 | 843c3f065c74065f0bd971798c3b51a9094f40c529e4bd804784e9a6e200e78d |
| SHA512 | 90d618985e8504d79667d186cbc22d36d9eca6273becb1cc4c064e7cd3e56f67bd6bfebe02479aa91a870fb50693b4abb94d01ce56bcc1d1dbaef56bd0d7b71d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1725387.exe
| MD5 | d1365cf32a2a5ffb2d0de5e547a86ac4 |
| SHA1 | f2a63f6358d748b82fbaae316461329f87f61a85 |
| SHA256 | e63b0fcdc4e0775eda7ee8a65c7159d4c2917f28d06104499aeeb83c94b5a3f6 |
| SHA512 | 1f314009a66c1386a6ea380458ee3dd38f4f972caf11a4f2e0fff37d1c962cdcaed6b9654467e9cce5fc82de6841bbe8da468fc7eaf2b25ea94309dad5328426 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4242870.exe
| MD5 | fee0d78da9d9e0dad30b42dc4e77f28c |
| SHA1 | 225327cf30237b56e2cb8416c1740419eece2b1e |
| SHA256 | fa11b78ae720dd778558c4fa04fd227dd36a345f61ef47331ca0216550670c03 |
| SHA512 | a1e751858bc33c64f2ca169204e750befb71bd67adb9af0a390ecc0bfaa7a4a66fe4fe3a564921d42851eef0764b4c1f72f8f5807467d19e60f23209c11d6023 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0506147.exe
| MD5 | e92c7bbd8a676bb507c8a6c719925511 |
| SHA1 | a53f60b355d98c0dcec0c25cb1f89e26c00f4597 |
| SHA256 | e4df181cb1b0c15da1d9da17f9d03be6ea7e1a0610a2a467bbc642c1c1b58f21 |
| SHA512 | 169ce1f2bfda419907e7087884154afa03b004216aed3dba62652485b8292788b001b2bcc2b8881ac007cb478f6d73df7699d0f68d2f7bf4bc500185978d9161 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4694307.exe
| MD5 | 3f907efe9d933c2f91ca529aa860aefc |
| SHA1 | 03e5427078314e367099b258336bfc9d79f00fba |
| SHA256 | 922be69be4725617b7b5789ba4a86420f9811575e287f680fab3039e6b908205 |
| SHA512 | b874d0fd2162f63ba25b8d13455108ac7de59e1d11b3c2d14f14445efde3dd6e4615ad9d57e4fd98c7a2a265f06a245bb9cb19a7150c67de0ef70ebf22b23d15 |
memory/4076-36-0x0000000002620000-0x000000000263A000-memory.dmp
memory/4076-37-0x0000000004EF0000-0x0000000005494000-memory.dmp
memory/4076-38-0x00000000027C0000-0x00000000027D8000-memory.dmp
memory/4076-64-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-66-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-62-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-60-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-58-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-56-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-54-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-52-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-50-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-48-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-46-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-44-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-42-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-40-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-39-0x00000000027C0000-0x00000000027D2000-memory.dmp
memory/4076-67-0x0000000000400000-0x00000000006F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2419047.exe
| MD5 | 008a9ccda1ec1e09754c5b607ef8008d |
| SHA1 | 32b5ac50d778bd22b4f2bdc4a75195c2fd145308 |
| SHA256 | b7856ce74bd7b42844ff63150ab37002b16898734219c37812428d18dbc84442 |
| SHA512 | f1fb9d973cb3743fc41eb3a104935ff7690f1860f0e028e0c06b6d0df67e5267a182a22100d75fcd499d73830361124bfe4267b114b82128e6938d3c943837eb |
memory/4076-69-0x0000000000400000-0x00000000006F4000-memory.dmp
memory/2940-73-0x0000000000B20000-0x0000000000B50000-memory.dmp
memory/2940-74-0x0000000002D50000-0x0000000002D56000-memory.dmp
memory/2940-75-0x0000000005C50000-0x0000000006268000-memory.dmp
memory/2940-76-0x0000000005740000-0x000000000584A000-memory.dmp
memory/2940-77-0x00000000053C0000-0x00000000053D2000-memory.dmp
memory/2940-78-0x0000000005630000-0x000000000566C000-memory.dmp
memory/2940-79-0x0000000005680000-0x00000000056CC000-memory.dmp