Analysis Overview
SHA256
74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5
Threat Level: Known bad
The file 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:37
Reported
2024-11-10 01:40
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe
"C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe
| MD5 | 3ea9e092549bc55c729a39b7a88d97e0 |
| SHA1 | daee7689438bbdbe5404d979f6fae2fecce41959 |
| SHA256 | c99f5a2e621361ff3b67e9ba29e7706fca1f9d3d29569bd0e4a699273bf17efd |
| SHA512 | c682d37336196e71b730865e4225bcef218edb32aaca4e50add2aa8f13095991da5ff7a06806241cea41c170b5877d0d4daa12383ac5b571fbbb2b6da3981e20 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe
| MD5 | deb2c3a482574cedcc41b776d2b957b6 |
| SHA1 | f4f0b36a3672b04653bf2c8ada2a5f8a3e00daca |
| SHA256 | e9b7baf529e1edb5b690e620b79fe24656b9cb6a8a0f9e20d01d474670747dd4 |
| SHA512 | e5219bc64bb2c51d1dc3f05224329579c92bdecb5057c8ab7afcb5d4974d9012d8e83e9e8d5ba6729b16f497e81248b6423adb0c0867a0f26379503872976d05 |
memory/2728-14-0x00000000748FE000-0x00000000748FF000-memory.dmp
memory/2728-15-0x00000000023F0000-0x000000000240A000-memory.dmp
memory/2728-17-0x0000000004B30000-0x00000000050D4000-memory.dmp
memory/2728-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/2728-16-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2728-19-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2728-20-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2728-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-48-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/2728-49-0x00000000748FE000-0x00000000748FF000-memory.dmp
memory/2728-50-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2728-52-0x00000000748F0000-0x00000000750A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe
| MD5 | ef8e3cf6fabb7197c369733f7f221721 |
| SHA1 | 09d143935b7b87f49245ce8cb64c1c6de6aaf2a7 |
| SHA256 | f9fc79626e70d247c7569b6021dbd49aca810118f36180ce81672a8bfa37d567 |
| SHA512 | 3617314081872b45aa1181cfb6fd411d67a7389138a1df385df8327d46b2a5076d84f5e75f087f3a2d33c5c0692648ae92f19b035bfb01079f972f679186da2b |
memory/2036-56-0x0000000000B70000-0x0000000000BA0000-memory.dmp
memory/2036-57-0x0000000002E80000-0x0000000002E86000-memory.dmp
memory/2036-58-0x0000000005B80000-0x0000000006198000-memory.dmp
memory/2036-59-0x0000000005670000-0x000000000577A000-memory.dmp
memory/2036-60-0x00000000053E0000-0x00000000053F2000-memory.dmp
memory/2036-61-0x0000000005560000-0x000000000559C000-memory.dmp
memory/2036-62-0x00000000055A0000-0x00000000055EC000-memory.dmp