Analysis Overview
SHA256
9b5ce2b2012c4b89bf57ccf86c6b5f6adb8df3f9876b0d44d5afe5104f940490
Threat Level: Known bad
The file 9b5ce2b2012c4b89bf57ccf86c6b5f6adb8df3f9876b0d44d5afe5104f940490 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Detects Healer an antivirus disabler dropper
RedLine payload
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:04
Reported
2024-11-10 02:06
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbi8843Sb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\toO17zZ96.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9b5ce2b2012c4b89bf57ccf86c6b5f6adb8df3f9876b0d44d5afe5104f940490.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbi8843Sb.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b5ce2b2012c4b89bf57ccf86c6b5f6adb8df3f9876b0d44d5afe5104f940490.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbi8843Sb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\toO17zZ96.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\toO17zZ96.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b5ce2b2012c4b89bf57ccf86c6b5f6adb8df3f9876b0d44d5afe5104f940490.exe
"C:\Users\Admin\AppData\Local\Temp\9b5ce2b2012c4b89bf57ccf86c6b5f6adb8df3f9876b0d44d5afe5104f940490.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbi8843Sb.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbi8843Sb.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\toO17zZ96.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\toO17zZ96.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vbi8843Sb.exe
| MD5 | 0cf6a17fe59309a85688e747376c99ce |
| SHA1 | 2646aa43532360156f6486815222b733eb07047a |
| SHA256 | eb4c41693bb7d9bc22790a5dcb6d2abae89daf49e29abb5299597e7e43ad49c0 |
| SHA512 | 748f3a86fa644032f8c86d2c1aec861a6542d7927ebc2741982e6e55a080de01b617dae9b3eb22c0ed9c250a21ad3b21ee01cf7c5f1067f98672c4fa0a47eb83 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw84lU22uB89.exe
| MD5 | aeb5ce8afb9c701142b86cc0655c69fa |
| SHA1 | 46cb0f1a33d46364b067b18f3228a6059d7669a2 |
| SHA256 | 65f600c866a8fd36e0bc86336a2d338fd30e758d17a8cded50a702473cf291f4 |
| SHA512 | 336a1566e86702b3cd354b7036edb4ea9f714955c569574995a53c62d518c38a3598dfb9bfc7c81667420bc660d5ff4b7afd4578bb60aaae36def3df44e5dbd2 |
memory/2852-14-0x00007FFD0B4A3000-0x00007FFD0B4A5000-memory.dmp
memory/2852-15-0x0000000000A20000-0x0000000000A2A000-memory.dmp
memory/2852-16-0x00007FFD0B4A3000-0x00007FFD0B4A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\toO17zZ96.exe
| MD5 | 049b7e9c3b3777fd130ad01127cd8268 |
| SHA1 | 7f56ea5b4e7029a2da226d899ddfce99ff960e0f |
| SHA256 | aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68 |
| SHA512 | d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1 |
memory/3436-22-0x0000000004BB0000-0x0000000004BF6000-memory.dmp
memory/3436-23-0x0000000007260000-0x0000000007804000-memory.dmp
memory/3436-24-0x0000000004C80000-0x0000000004CC4000-memory.dmp
memory/3436-28-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-40-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-88-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-86-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-84-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-82-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-80-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-78-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-76-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-74-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-70-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-68-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-67-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-64-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-62-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-61-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-58-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-56-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-54-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-52-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-51-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-48-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-46-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-44-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-42-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-38-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-36-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-34-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-32-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-30-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-72-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-26-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-25-0x0000000004C80000-0x0000000004CBE000-memory.dmp
memory/3436-931-0x0000000007950000-0x0000000007F68000-memory.dmp
memory/3436-932-0x0000000007FE0000-0x00000000080EA000-memory.dmp
memory/3436-933-0x0000000008120000-0x0000000008132000-memory.dmp
memory/3436-934-0x0000000008140000-0x000000000817C000-memory.dmp
memory/3436-935-0x0000000008290000-0x00000000082DC000-memory.dmp