Analysis Overview
SHA256
574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0
Threat Level: Known bad
The file 574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Redline family
RedLine
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:54
Reported
2024-11-10 00:57
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe
"C:\Users\Admin\AppData\Local\Temp\574a753382ff4f9dea5eb6792a1e462b495478db830e75176c65c14fadeb7fb0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676782.exe
| MD5 | e8c0157300b3705d2c72104de670655c |
| SHA1 | aa6129cf0823ce61f03e326e3b9b1b78c3aa5a5f |
| SHA256 | 2d76fa6e21b6648c25fd6bad3f651688289c826caac1df16658f8557deccd3eb |
| SHA512 | 0514cbd5e86fa396707f7bf49c39e721e5b64ec07f2aa2c1d79a665a22ab2d1745be03c365cd9f84e5d78fcc785c7c0a721897b8e9874fb116a7b1041f968011 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4721.exe
| MD5 | bc64a40a5f6d6293540b10f2d3a93bce |
| SHA1 | dcd1552d439786ae445cec36af5f438ea7f52ab8 |
| SHA256 | 588c29046d905c33e9491deeda2ec2664953ee56ff851e8d08f389e125e637f0 |
| SHA512 | 51f2b046619235f9dd961dd5e8e4f07aac04a0fca75770dc331370efa291ab9551cc0073302b4481f549571f6a8283f57b4dce7f2060963d8b8a6463676abd85 |
memory/3672-15-0x0000000000840000-0x0000000000940000-memory.dmp
memory/3672-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3672-17-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/3672-18-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/3672-19-0x0000000002280000-0x000000000229A000-memory.dmp
memory/3672-20-0x0000000004E50000-0x00000000053F4000-memory.dmp
memory/3672-21-0x0000000002470000-0x0000000002488000-memory.dmp
memory/3672-33-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-47-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-49-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-45-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-43-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-41-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-39-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-37-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-35-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-31-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-30-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-27-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-25-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-23-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-22-0x0000000002470000-0x0000000002482000-memory.dmp
memory/3672-50-0x0000000000840000-0x0000000000940000-memory.dmp
memory/3672-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3672-54-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/3672-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3189.exe
| MD5 | 84060c0509dc244e0ac7c957864d9824 |
| SHA1 | 94cea3d6cdb604a825704b3f6de3dd45c2488c14 |
| SHA256 | a4527dd3ef55bf8235f24a68419531cd81b3b525bd7eda98513e29af562798af |
| SHA512 | 5990e70506005e0e8a0303ca82f7f92b030bedc61f967bb31d5c6a7d67705ac14ac2662e06b2d0f11766e311dcd715d0c65e3b10bbea7f4d9a70083625c315cc |
memory/4604-60-0x0000000004A20000-0x0000000004A66000-memory.dmp
memory/4604-61-0x0000000004AA0000-0x0000000004AE4000-memory.dmp
memory/4604-81-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-79-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-93-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-92-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-89-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-87-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-85-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-83-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-77-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-75-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-73-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-71-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-95-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-69-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-67-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-65-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-63-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-62-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
memory/4604-968-0x0000000005100000-0x0000000005718000-memory.dmp
memory/4604-969-0x0000000005790000-0x000000000589A000-memory.dmp
memory/4604-970-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/4604-971-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/4604-972-0x0000000005A40000-0x0000000005A8C000-memory.dmp