Analysis Overview
SHA256
46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c
Threat Level: Known bad
The file 46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine
Healer family
Modifies Windows Defender Real-time Protection settings
Healer
RedLine payload
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:58
Reported
2024-11-10 01:00
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe
"C:\Users\Admin\AppData\Local\Temp\46556ce2d37813cc4f7493ae9f20b90f47c49c994d11c895d656830d78c08e3c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| FI | 77.91.124.251:19069 | tcp | |
| FI | 77.91.124.251:19069 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0822929.exe
| MD5 | 3318a535070432c3c5eacc0a93dc1413 |
| SHA1 | 7a2258fde704dd0b674d9c957298d5c982d4fecd |
| SHA256 | 713cc762c8174608785b9f56f83b658fee8e68cd23c3977416df619b1c1dcc7f |
| SHA512 | cbedfb4ed664d3233a6a19ebf0c557288cb22802e6e9ea8575323dea6a72ec8fb8eb03918f370df27b5967145316f1d5680b88ff8e510a29a84b72ef393295f2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3042473.exe
| MD5 | 3be539bc06dbbcf598efefd04d30ea31 |
| SHA1 | 8b9acc444407ca1e139472f2e5cf8ea1fa57dce8 |
| SHA256 | dcde231d6b1203b70e39e0f0b0546121f4fa93b505d858d14199a5dc51fd4151 |
| SHA512 | 39f340f52b907c6e3a039e298824a8f0a8cdb6e642b7676a524647fb7a99e7f1c731529f5fc93376f985849867a607402a9e5cc24a188cd92ed6e776f8aefcab |
memory/1420-14-0x0000000073CEE000-0x0000000073CEF000-memory.dmp
memory/1420-15-0x00000000024C0000-0x00000000024DA000-memory.dmp
memory/1420-16-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/1420-17-0x0000000004B20000-0x00000000050C4000-memory.dmp
memory/1420-18-0x0000000004AD0000-0x0000000004AE8000-memory.dmp
memory/1420-19-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/1420-43-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-47-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-48-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/1420-45-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-41-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-39-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-37-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-35-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-27-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-25-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-23-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-21-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-20-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-33-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-31-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-29-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
memory/1420-49-0x0000000073CEE000-0x0000000073CEF000-memory.dmp
memory/1420-50-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/1420-52-0x0000000073CE0000-0x0000000074490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5329633.exe
| MD5 | 1bf1deb45ddb63eae2e99a57a8388229 |
| SHA1 | f1a7075ea4ce02db3def4d9a096c13a933ada2db |
| SHA256 | a9a96e6449e12ff18c0e26f7bef1f32526b7924ffc72a462063cb069244e06e5 |
| SHA512 | 130e10f688152376e271eac1eb1f0a11229398d70e04f85fb883bd3b7347fb4ea7c084a67c1deb02c49adb46f43c451123755a1f6ef78235ad38ea058dac2e50 |
memory/4440-56-0x0000000000B00000-0x0000000000B28000-memory.dmp
memory/4440-57-0x0000000007DC0000-0x00000000083D8000-memory.dmp
memory/4440-58-0x0000000007860000-0x0000000007872000-memory.dmp
memory/4440-59-0x0000000007990000-0x0000000007A9A000-memory.dmp
memory/4440-60-0x00000000078C0000-0x00000000078FC000-memory.dmp
memory/4440-61-0x0000000007900000-0x000000000794C000-memory.dmp