Analysis Overview
SHA256
59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d
Threat Level: Known bad
The file 59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Detects Healer an antivirus disabler dropper
RedLine
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:38
Reported
2024-11-10 00:40
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe
"C:\Users\Admin\AppData\Local\Temp\59d63b343e8bf5ab473d81e4be90a05917cd5170140ce4384196a3834977994d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3360 -ip 3360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1020
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561695.exe
| MD5 | f4d5ed4dd5dec4d282cf0c038e6d145b |
| SHA1 | 8d78e0378ee3fd485cfde1829cb52f28f942b302 |
| SHA256 | a2ff79f31deafd7da7e9fd99abc0c837f1938c71da15a4cd4213104aa81906d3 |
| SHA512 | 70ccc1b31087e5b7ef75c8dd3f2001c88e9c3fe1bdcbc20d8fb88bd9e5192fd40cda07c0e9d34e0246602b9f7dbe0eeccbd9f41d6a577276430c284d5c2bb264 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2788.exe
| MD5 | 57cd27197396bb1efaefd85c129de708 |
| SHA1 | 46493512f479e688d7b75249f308aea290ef5975 |
| SHA256 | 7d7b13e6cc503a379ab9874d67f791f57dea7a108431b71d04db8efe3abd6b76 |
| SHA512 | 9b26675486d69945efdfbbdbce3f158117ce35a496c9f68537e99765f79b002e530b9a769f22a7282661a4085b50089d2458256d9728f9cc58505f8276ffcaa6 |
memory/3360-15-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/3360-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3360-16-0x0000000000850000-0x000000000087D000-memory.dmp
memory/3360-18-0x0000000000400000-0x0000000000710000-memory.dmp
memory/3360-19-0x0000000002570000-0x000000000258A000-memory.dmp
memory/3360-20-0x0000000004D40000-0x00000000052E4000-memory.dmp
memory/3360-21-0x0000000004C90000-0x0000000004CA8000-memory.dmp
memory/3360-22-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-49-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-48-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-45-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-44-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-41-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-39-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-37-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-35-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-33-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-31-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-27-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-25-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-23-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-29-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3360-50-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/3360-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3360-55-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3360-54-0x0000000000400000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9703.exe
| MD5 | 64a066aeb20f1bcfe39b5661230e40d8 |
| SHA1 | 9b6355f403800020ffe98d8391d554e64b20f793 |
| SHA256 | f7df0fadafc631d9201fdfb1ddd373a05e1eea8429ba99eb5ae285a2fee40936 |
| SHA512 | 5eb1d9996f19a4515ce94dd5fa9f686eb21487f3d84a4d84951555ec923f63ea7cc48228b5b7e7ffa9c30885a8001686c87650a9884b003d44b58407729b9062 |
memory/1336-60-0x0000000004C70000-0x0000000004CB6000-memory.dmp
memory/1336-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp
memory/1336-73-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-77-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-75-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-71-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-69-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-67-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-89-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-65-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-63-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-62-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-95-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-93-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-91-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-87-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-85-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-83-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-81-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-79-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/1336-968-0x0000000005390000-0x00000000059A8000-memory.dmp
memory/1336-969-0x00000000059E0000-0x0000000005AEA000-memory.dmp
memory/1336-970-0x0000000005B20000-0x0000000005B32000-memory.dmp
memory/1336-971-0x0000000005B40000-0x0000000005B7C000-memory.dmp
memory/1336-972-0x0000000005CD0000-0x0000000005D1C000-memory.dmp