Analysis Overview
SHA256
d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8
Threat Level: Known bad
The file d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8 was found to be: Known bad.
Malicious Activity Summary
Healer
Detects Healer an antivirus disabler dropper
RedLine
RedLine payload
Redline family
Healer family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:39
Reported
2024-11-10 01:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe
"C:\Users\Admin\AppData\Local\Temp\d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe
| MD5 | 4b85352b566461a19adb842242046a83 |
| SHA1 | c341c61219dab28de21ded6cc2ef1d2834643b74 |
| SHA256 | bf10a41943bd542726e6993180fe4cbe709563b5e1128f1571fc4c61cc32252e |
| SHA512 | b19e67e18635ff6c052eef2bc1200b303f0133badd389bea75c38ba844be5a0390724dc9eb4b0c53d29525aee9f13552297b60e1b8013d42618e1b135f028e02 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe
| MD5 | 196313764dffb67558dbde2ce17579cb |
| SHA1 | 9036880fb487ecdf8087578b0c16591dd9f67bf4 |
| SHA256 | 8115e3d583de3dc8221e4807fc16140c12ab77fb076bbb48e874a4e4a14fc287 |
| SHA512 | a874a7558bfd547df6e44f3aef2ce5643f632f93d9ecefdfa131bff2fae46eb3bd5620ddb1710583b25d933a96a6f1879a637d405df48adef0d6f3180cc4a426 |
memory/2884-15-0x0000000004720000-0x000000000473A000-memory.dmp
memory/2884-16-0x00000000073D0000-0x0000000007974000-memory.dmp
memory/2884-17-0x00000000047C0000-0x00000000047D8000-memory.dmp
memory/2884-18-0x0000000000400000-0x0000000002B84000-memory.dmp
memory/2884-26-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-46-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-44-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-42-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-40-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-38-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-36-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-34-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-32-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-30-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-28-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-24-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-22-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-20-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-19-0x00000000047C0000-0x00000000047D2000-memory.dmp
memory/2884-47-0x0000000000400000-0x0000000002B84000-memory.dmp
memory/2884-51-0x0000000000400000-0x0000000002B84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe
| MD5 | d8c616005f707a17680af72d8b90e689 |
| SHA1 | d0417fde83d91a1cbb20aa8f4444bcce871189a3 |
| SHA256 | bf69ea1bb67d82014bd394b8e9330e3d55676ccf687d035a48734d9aa7c14b73 |
| SHA512 | 559a69f80d007ad39e2984d1902bf35e5068edfa719644e316616023cbaae65ab96ac6b650161b453ed1e95c52f83b088219a2be018e3cb807ea2984e51758ac |
memory/2624-56-0x0000000004830000-0x0000000004876000-memory.dmp
memory/2624-57-0x0000000004D30000-0x0000000004D74000-memory.dmp
memory/2624-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-91-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-89-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-69-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-61-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-59-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-58-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/2624-964-0x0000000007960000-0x0000000007F78000-memory.dmp
memory/2624-965-0x0000000007290000-0x000000000739A000-memory.dmp
memory/2624-966-0x0000000007FB0000-0x0000000007FC2000-memory.dmp
memory/2624-967-0x0000000007FD0000-0x000000000800C000-memory.dmp
memory/2624-968-0x0000000008120000-0x000000000816C000-memory.dmp