Analysis Overview
SHA256
f78eb5959443a77152eb5881966d31e61a3147079d59a7c9c07201456ad4b263
Threat Level: Known bad
The file f78eb5959443a77152eb5881966d31e61a3147079d59a7c9c07201456ad4b263 was found to be: Known bad.
Malicious Activity Summary
RedLine
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer family
Redline family
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:29
Reported
2024-11-10 01:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe
"C:\Users\Admin\AppData\Local\Temp\32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe
| MD5 | bfd3f5fa9d1a92256c6d77126d8aa566 |
| SHA1 | 24d0b9311a6b4a0992142b129eeccf12bebe128c |
| SHA256 | 485383a552a9f401a382ce572818bf1e3f8b86948a44ad40b23ec1d33a2356bd |
| SHA512 | 787f26394abba68aa4fb0700bcd0bf6ac584998711d516e45dd2ec3088c8b8196a08c17a893ef4f27e15d5853230356db1fb1bb965a09c45437a11dd890ee196 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe
| MD5 | 4b7cab7b0d67a56752e9a8b1a2d0e336 |
| SHA1 | 3f6477008395beac68397acd6a907ffc1d232014 |
| SHA256 | 5c0527ac11d22746108becab2f372a73a205c73e5f3a8247f56d4141080a6b63 |
| SHA512 | 4cc228e74f62b2a97d1bf3ca0b9b2f73f5a8fc87fc700687565b3cd62bfdbb18005aa0d56e385cce453bab4f65b6d09beddaec65373c7515ab74564eb8a4b7f0 |
memory/4452-14-0x000000007417E000-0x000000007417F000-memory.dmp
memory/4452-15-0x0000000004A00000-0x0000000004A1A000-memory.dmp
memory/4452-16-0x0000000074170000-0x0000000074920000-memory.dmp
memory/4452-17-0x0000000074170000-0x0000000074920000-memory.dmp
memory/4452-18-0x0000000004C00000-0x00000000051A4000-memory.dmp
memory/4452-19-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/4452-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4452-48-0x000000007417E000-0x000000007417F000-memory.dmp
memory/4452-49-0x0000000074170000-0x0000000074920000-memory.dmp
memory/4452-51-0x0000000074170000-0x0000000074920000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe
| MD5 | becceae5283724466405b9ee9cebfa40 |
| SHA1 | 6fa2ca2f034f647ed2d64dbc24447da1aaa1bcdd |
| SHA256 | f7d8618e35030c1fd9733dd7da786df18354f9fe054ab132b27eaed299d0d1b4 |
| SHA512 | 1e6af2ca5faaa7150501dfede0a665515218abce2d620b70bc7066106990f4b8dc60e5e6d1eaf12a27279c9bd7a0c6ef0ac49d99ff56aa2b291a84fb1493c2fd |
memory/2056-55-0x0000000000D50000-0x0000000000D7E000-memory.dmp
memory/2056-56-0x0000000002E40000-0x0000000002E46000-memory.dmp
memory/2056-57-0x0000000005D30000-0x0000000006348000-memory.dmp
memory/2056-58-0x0000000005820000-0x000000000592A000-memory.dmp
memory/2056-59-0x00000000056C0000-0x00000000056D2000-memory.dmp
memory/2056-60-0x0000000005750000-0x000000000578C000-memory.dmp
memory/2056-61-0x0000000005790000-0x00000000057DC000-memory.dmp