Analysis Overview
SHA256
062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a
Threat Level: Known bad
The file 062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
Redline family
RedLine payload
RedLine
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:43
Reported
2024-11-10 01:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe
"C:\Users\Admin\AppData\Local\Temp\062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe
| MD5 | 0b7b6d6cd58ba2ac0c32ac5d10515250 |
| SHA1 | 10d204a902bd865c415279ffc5ebf627146e75d7 |
| SHA256 | 6a42b854ea79bbebb5a7734fd18374a3ebf3c9b463c7b33b8207803cb37ee060 |
| SHA512 | 0fab8321068c5eb6ebbdfdbe4e05b5494111ba50486c87962fe1888d6c4f4407cdf7905fb919e68d90dfe3da025b9a95edfbbea64fde6640055e1265cef263d4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe
| MD5 | feccfab0368b2931d10e445764382573 |
| SHA1 | a8aca5eb3cd31cc940b1a085a57adf64285dea0c |
| SHA256 | 38a612feef0258d911c8f2fd7c982010c5c8f9f0a1921f7a81c63f37e7ad877a |
| SHA512 | 7e327f832faf0ae1b1a210a92cfa29d4dd84e36c59133736770b645cab735f52515b918df1b34e20a5748d4a46155401617f7b5d3fc86dddbbc3c0d9b901751c |
memory/4968-15-0x0000000002C70000-0x0000000002D70000-memory.dmp
memory/4968-16-0x0000000002D70000-0x0000000002D9D000-memory.dmp
memory/4968-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4968-18-0x0000000004B50000-0x0000000004B6A000-memory.dmp
memory/4968-19-0x0000000007270000-0x0000000007814000-memory.dmp
memory/4968-20-0x0000000007130000-0x0000000007148000-memory.dmp
memory/4968-21-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-44-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-48-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-46-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-42-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-41-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-38-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-36-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-35-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-32-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-30-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-28-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-26-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-24-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-22-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4968-49-0x0000000002C70000-0x0000000002D70000-memory.dmp
memory/4968-50-0x0000000002D70000-0x0000000002D9D000-memory.dmp
memory/4968-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4968-51-0x0000000000400000-0x0000000002B7F000-memory.dmp
memory/4968-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe
| MD5 | 0a45dd35e2f654842ee8f1fca73833c9 |
| SHA1 | a3b438ee4e4c6ed2e2c95c39341c4f17984327f0 |
| SHA256 | e8c20418cfcce9076454ada3e1859b94bc81b0f3355ce6e3d329b882086cf987 |
| SHA512 | 01e7e1c10059f548991cb78cdab09385f8ac0eb92decfaa63a4a05052b5267d99d3300b1afc64663649be48f4d1d6d9c1edfe53e7ffef9d48f7b5ca2057710b4 |
memory/4968-54-0x0000000000400000-0x0000000002B7F000-memory.dmp
memory/1772-60-0x0000000004B80000-0x0000000004BC6000-memory.dmp
memory/1772-61-0x0000000004DC0000-0x0000000004E04000-memory.dmp
memory/1772-95-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-93-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-91-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-89-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-87-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-85-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-83-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-81-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-79-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-77-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-75-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-73-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-71-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-69-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-67-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-65-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-63-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-62-0x0000000004DC0000-0x0000000004DFF000-memory.dmp
memory/1772-968-0x0000000007890000-0x0000000007EA8000-memory.dmp
memory/1772-969-0x0000000007EB0000-0x0000000007FBA000-memory.dmp
memory/1772-970-0x0000000004E70000-0x0000000004E82000-memory.dmp
memory/1772-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/1772-972-0x0000000008110000-0x000000000815C000-memory.dmp