Analysis Overview
SHA256
7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93
Threat Level: Known bad
The file 7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Redline family
Modifies Windows Defender Real-time Protection settings
Healer family
RedLine payload
Healer
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:42
Reported
2024-11-10 01:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe
"C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
| MD5 | 3c98863833f7aff1acd4bff0efb307f1 |
| SHA1 | 656a7cb936d6259d34a213726cdf8b5b523bfe97 |
| SHA256 | 341acf51528ad025d37942ca95d59951251a1a0be2481bc67c77890900489e48 |
| SHA512 | 872ad99d20d10c184f1e1349e573541cb4eb9d8dc4ed06130b068e989806a232be5c64a58acda968ba000bce45b1f6bd5c8de747df95719cf2aa5a5978fdece7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
| MD5 | b402b9b957eedae731e6788176d04a6c |
| SHA1 | 0d73034cd207695202a31b04ec78a44bac91a564 |
| SHA256 | a72d9c94332ccb234e04b2709f59c59dcbb5c1010d5fc735318a86ebe2144b3e |
| SHA512 | fd65a56c29021dcb67752d4c797b593c94b228d99879738544772a78d24f9ded0480a5ee8271e93fd08ac804c5700f5aa1afb6e4b4c43f6cde07cc4835fb9cae |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
| MD5 | 72723222ddbf76f6e4bb67b780697991 |
| SHA1 | 223647d8a4af3e509ed6f0868daf728c952abbf8 |
| SHA256 | f296f95567a42a829b71590870e72de0ce023f4f7b9d7c76a1470345072c3d73 |
| SHA512 | 0694ce1467b1f1f6c974a2d0541096752a62202fe63e30e8799fd048244ec2da24ee8cf1e9ddfb794846b3316a25ddf64cb5b2ed8a4ed8cd435287f75e8647d2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
| MD5 | 4ceaababa053a38b19ad1df4dd401db0 |
| SHA1 | e4e119fa4cb9d5debd5bb7cc3c00d9daf5bc0897 |
| SHA256 | 855751103c09f7a38813db03fa1ede42a70b864994072f48e07e423ff87263b7 |
| SHA512 | 8b0f0b433fa010feb4ac5b3a8c625801b1055ff9cd8e1c3c3557d71696a2c1178ef8831711548e34d0ca316b4fd5e7a5e6a55871235410ad24bcce349795b60a |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
| MD5 | b497921f7dcb828b7b38daa1eaf7158d |
| SHA1 | cce97fdc1d8a77a52ef5cb29597eb83863c2f4a6 |
| SHA256 | 30c09deb736f1c9accdad3875587ab5654850929f90839f84aa47480968f6ecb |
| SHA512 | 75c6a8fc7f04c161eab6779520a0bfc9fcd789bcc78e6a9d3f6bc991407793bab00964864bfaaa5f31007d0a13fe0dd011339122c7694914cf9b1da5dfdf05a1 |
memory/1428-36-0x0000000002850000-0x000000000286A000-memory.dmp
memory/1428-37-0x00000000052E0000-0x0000000005884000-memory.dmp
memory/1428-38-0x0000000002CD0000-0x0000000002CE8000-memory.dmp
memory/1428-39-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-66-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-65-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-62-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-60-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-58-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-56-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-55-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-53-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-50-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-48-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-46-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-44-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-42-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-40-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/1428-67-0x0000000000400000-0x0000000000A67000-memory.dmp
memory/1428-69-0x0000000000400000-0x0000000000A67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
| MD5 | c53ccc3e6ee89031dcb6760cdd081ad4 |
| SHA1 | c8ea70aa2d2043a2077e4cbaa593581c8b39e9aa |
| SHA256 | 886adce7dcfc2e7fca15ac78afa9947db515cf7c36c7e997fdefb9d5fb5be1fc |
| SHA512 | 2f24d77e2fb522e9a8b537d560987140d64460e2eb909ccb18a599076633a7796d8fc195435d9910007a452fb7dcab3f1315d20b11c940363e9891aad3134548 |
memory/4672-73-0x0000000000D60000-0x0000000000D8E000-memory.dmp
memory/4672-74-0x0000000005580000-0x0000000005586000-memory.dmp
memory/4672-75-0x000000000B190000-0x000000000B7A8000-memory.dmp
memory/4672-76-0x000000000AD10000-0x000000000AE1A000-memory.dmp
memory/4672-77-0x000000000AC40000-0x000000000AC52000-memory.dmp
memory/4672-78-0x000000000ACA0000-0x000000000ACDC000-memory.dmp
memory/4672-79-0x0000000004F70000-0x0000000004FBC000-memory.dmp