Analysis Overview
SHA256
4ad35be0162b9c88e44b8ddd41f91ad642ca51caca5eba0af45b6d211a7e6a5d
Threat Level: Known bad
The file 4ad35be0162b9c88e44b8ddd41f91ad642ca51caca5eba0af45b6d211a7e6a5d was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
RedLine payload
Detects Healer an antivirus disabler dropper
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:35
Reported
2024-11-10 00:37
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590812.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu828940.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4ad35be0162b9c88e44b8ddd41f91ad642ca51caca5eba0af45b6d211a7e6a5d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590812.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ad35be0162b9c88e44b8ddd41f91ad642ca51caca5eba0af45b6d211a7e6a5d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590812.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu828940.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu828940.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ad35be0162b9c88e44b8ddd41f91ad642ca51caca5eba0af45b6d211a7e6a5d.exe
"C:\Users\Admin\AppData\Local\Temp\4ad35be0162b9c88e44b8ddd41f91ad642ca51caca5eba0af45b6d211a7e6a5d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590812.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590812.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4828 -ip 4828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1092
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu828940.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu828940.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un590812.exe
| MD5 | 355793460c8e3754955d5a22f688f72a |
| SHA1 | 171deacc4a490abadd70df3d3557a0233c8537f1 |
| SHA256 | 5b151bce68b95ab35a8ac0e68e8275e9568eb7ff78f63c81b4ed39acb62e7762 |
| SHA512 | e0726a698545d1cfaa35420ccb121e5302768ad8e55f7666f60c8edbd23b8fb976a8c6ea927eb92ad28bb9099968a3e22b4326e61add1a96dc670f521f476adf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr093387.exe
| MD5 | 3b5df25052b11fa0fd05ee79829cfbd3 |
| SHA1 | 6b001c39513cc5775253e58057ad596a76290e9d |
| SHA256 | 09931155bec8fbbd56a8ac0faa50455ecdecee80bf95ed053b6cf1b91b1e3cc6 |
| SHA512 | a0fe0c1a1a83e2576b12906539de871d0ce726ae5f04c4e98b8d8d671875ce9adb3f83b484dbdd56ab0996ce04718b04c512dae94a4fc88f0d738afcede3ab75 |
memory/4828-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4828-15-0x0000000002E00000-0x0000000002F00000-memory.dmp
memory/4828-17-0x0000000004BD0000-0x0000000004BEA000-memory.dmp
memory/4828-18-0x0000000000400000-0x0000000002BB4000-memory.dmp
memory/4828-19-0x0000000007210000-0x00000000077B4000-memory.dmp
memory/4828-20-0x0000000007140000-0x0000000007158000-memory.dmp
memory/4828-32-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-48-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-46-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-44-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-42-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-40-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-38-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-36-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-35-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-30-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-28-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-26-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-24-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-22-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-21-0x0000000007140000-0x0000000007152000-memory.dmp
memory/4828-49-0x0000000002E00000-0x0000000002F00000-memory.dmp
memory/4828-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4828-50-0x0000000000400000-0x0000000002BB4000-memory.dmp
memory/4828-53-0x0000000000400000-0x0000000002BB4000-memory.dmp
memory/4828-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu828940.exe
| MD5 | fb6e52bfa142536de1e94d6348cf3db7 |
| SHA1 | 66dd8caa27bff85706527e4d999753531865abf9 |
| SHA256 | dcb0957ce6316871a94984a6511103fb6189cdbc92d52ecc766faa0bcabaae3a |
| SHA512 | 55c54d04a76c56ba60b6e94d93e6e0c127257f9400f0f44f996bb46c59a2ed4141287378531ebd17c581b8ee2eac298b1ec6b1a8761d097790718f377096f8a2 |
memory/1136-59-0x0000000004AE0000-0x0000000004B1C000-memory.dmp
memory/1136-60-0x0000000004B80000-0x0000000004BBA000-memory.dmp
memory/1136-66-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-72-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-94-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-92-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-91-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-86-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-84-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-82-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-80-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-78-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-76-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-74-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-70-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-68-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-88-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-64-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-62-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-61-0x0000000004B80000-0x0000000004BB5000-memory.dmp
memory/1136-853-0x0000000009C80000-0x000000000A298000-memory.dmp
memory/1136-854-0x000000000A340000-0x000000000A352000-memory.dmp
memory/1136-855-0x000000000A360000-0x000000000A46A000-memory.dmp
memory/1136-856-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/1136-857-0x00000000048A0000-0x00000000048EC000-memory.dmp