Analysis Overview
SHA256
b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a
Threat Level: Known bad
The file b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
Redline family
RedLine payload
Modifies Windows Defender Real-time Protection settings
RedLine
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:24
Reported
2024-11-10 01:27
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe
"C:\Users\Admin\AppData\Local\Temp\b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe
| MD5 | ea859e4faceefdf3c90e10c212867ec7 |
| SHA1 | 935bff41bb1145cf235ebfd35cf07650f5d0636f |
| SHA256 | 7507f2a36610c03cfbf944669b95d4bbb025ab76bf208648c1ef1ec8a1078019 |
| SHA512 | 3200e4a17f751918109b1739402f75dc6e77cf7de1e8b395f023dacd4190d0476e78bb65317341edea8fb0851ad7de62b64cbe8cec2fa405bd344f281f073edc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe
| MD5 | 052885d7057f8ee4e0c5295122cdfe62 |
| SHA1 | 28dd065813fadd98d80b5e38dace6ecbeb7cb14d |
| SHA256 | 3543a9ecd8b4b5fe1bc80fcdd5ebc7849acf120907a20beded09bb5ec52057ea |
| SHA512 | 3221dcbd57c1f5ee30cea84fdc8320a48dc78c01b1328e93b2b6cbffa806bbcf340f1ca91797a15a25787aab406b981df9ee72c0e63d0242ab64311cf3dc2d53 |
memory/892-14-0x000000007478E000-0x000000007478F000-memory.dmp
memory/892-15-0x0000000002050000-0x000000000206A000-memory.dmp
memory/892-16-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/892-18-0x0000000004970000-0x0000000004F14000-memory.dmp
memory/892-17-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/892-19-0x0000000004F60000-0x0000000004F78000-memory.dmp
memory/892-47-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-45-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-43-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-41-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-39-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-37-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-35-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-33-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-31-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-29-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-27-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-25-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-23-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-21-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-20-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/892-48-0x000000007478E000-0x000000007478F000-memory.dmp
memory/892-49-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/892-51-0x0000000074780000-0x0000000074F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe
| MD5 | 4f49d1f989b7903e0f86c4980ec84fa6 |
| SHA1 | 763c343620a6f3e45c7e2aad1b7cde01a7172b53 |
| SHA256 | d36136cf8d08982280d1d6909be7afa57ac2d406fba7afd9bd45ee2a97ca6794 |
| SHA512 | c5fe1e92f430fc09b8865ee63393bae12f5ec620d9eb28c06b0ea3dd6b8eeaf8ecf3349229b4e6d6b03d9814ff27755bd3e3f3b8528a42e4846111950617b7f8 |
memory/2372-55-0x0000000000F60000-0x0000000000F90000-memory.dmp
memory/2372-56-0x0000000003030000-0x0000000003036000-memory.dmp
memory/2372-57-0x0000000005FB0000-0x00000000065C8000-memory.dmp
memory/2372-58-0x0000000005AF0000-0x0000000005BFA000-memory.dmp
memory/2372-59-0x0000000005A20000-0x0000000005A32000-memory.dmp
memory/2372-60-0x0000000005A80000-0x0000000005ABC000-memory.dmp
memory/2372-61-0x0000000005C00000-0x0000000005C4C000-memory.dmp