Analysis Overview
SHA256
134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402
Threat Level: Known bad
The file 134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402 was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Detects Healer an antivirus disabler dropper
Redline family
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:55
Reported
2024-11-10 01:58
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe
"C:\Users\Admin\AppData\Local\Temp\134e3927807d90757070a210e95b6094ce1a40444f7885816b464defc6403402.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588202.exe
| MD5 | aecaaeac8e1c5c94e4522e291adc4e35 |
| SHA1 | 7c2d438c4a297c217b6d35badde64949276fcdb7 |
| SHA256 | 00168b3d564a4ec16c914d095ae8d1a1c40de7242f796051ea59096d67184715 |
| SHA512 | 579bf65d6a276b3b03b77feeac7e815bc7734ce53c36c4a8faf696ec4ecc6187600ece868fdd7c0b164b85694d2b5644cf186622f20ef67500ab54ec955abe12 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4411.exe
| MD5 | 138f6b3875d4716ddf212d6b359efb90 |
| SHA1 | 4304968305e09c77e4bad1bf3cbd88a6771a268b |
| SHA256 | c2f43c97f0a54185caad0730e22df9c7b99209b9c5cb6d4db1a2011bb4217ba3 |
| SHA512 | 286b086d1428fefa71399059c3e61887bdc6dd4f0d49fa93df8a0eec0281e53f5775d628caa42e9e506728c5759b0b4cd2a307797856b3482db8878efbe21f73 |
memory/3636-16-0x0000000002C00000-0x0000000002C2D000-memory.dmp
memory/3636-15-0x0000000002D00000-0x0000000002E00000-memory.dmp
memory/3636-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3636-18-0x0000000004A70000-0x0000000004A8A000-memory.dmp
memory/3636-19-0x00000000072D0000-0x0000000007874000-memory.dmp
memory/3636-20-0x0000000007250000-0x0000000007268000-memory.dmp
memory/3636-32-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-48-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-34-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-46-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-44-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-42-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-40-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-38-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-36-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-30-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-28-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-26-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-24-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-22-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-21-0x0000000007250000-0x0000000007262000-memory.dmp
memory/3636-49-0x0000000002D00000-0x0000000002E00000-memory.dmp
memory/3636-50-0x0000000002C00000-0x0000000002C2D000-memory.dmp
memory/3636-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3636-51-0x0000000000400000-0x0000000002B75000-memory.dmp
memory/3636-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7072.exe
| MD5 | e94aa687b6f7be8416cb6cebabd6cb14 |
| SHA1 | 517ed385661862c52fb6c116ba484bbcae749833 |
| SHA256 | e45dfb48fccc021ec9746c64a1dc8ca73fe8a74cad1f84f35a2b332746c03dae |
| SHA512 | 554ca28d2b7a28e01c5e521a6cbf46827778b31f1709e9742216c0c3e9eb5cb760050ea2d67d03f9a451df2d72a5d96b85c98580b11d13b69ba458a64c5fe2b4 |
memory/3636-54-0x0000000000400000-0x0000000002B75000-memory.dmp
memory/4084-60-0x00000000049E0000-0x0000000004A26000-memory.dmp
memory/4084-61-0x0000000004D30000-0x0000000004D74000-memory.dmp
memory/4084-95-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-93-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-91-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-89-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-69-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-62-0x0000000004D30000-0x0000000004D6F000-memory.dmp
memory/4084-968-0x00000000079A0000-0x0000000007FB8000-memory.dmp
memory/4084-969-0x0000000004F40000-0x000000000504A000-memory.dmp
memory/4084-970-0x0000000005080000-0x0000000005092000-memory.dmp
memory/4084-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/4084-972-0x0000000008110000-0x000000000815C000-memory.dmp