Analysis Overview
SHA256
9a9a1da9d77855064715149660ff0b832ef125604bf012e1c210ebd5d00cc9fa
Threat Level: Known bad
The file 9a9a1da9d77855064715149660ff0b832ef125604bf012e1c210ebd5d00cc9fa was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer
Healer family
RedLine
Redline family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:54
Reported
2024-11-10 02:56
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un551501.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk127989.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9a9a1da9d77855064715149660ff0b832ef125604bf012e1c210ebd5d00cc9fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un551501.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un551501.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk127989.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a9a1da9d77855064715149660ff0b832ef125604bf012e1c210ebd5d00cc9fa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk127989.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a9a1da9d77855064715149660ff0b832ef125604bf012e1c210ebd5d00cc9fa.exe
"C:\Users\Admin\AppData\Local\Temp\9a9a1da9d77855064715149660ff0b832ef125604bf012e1c210ebd5d00cc9fa.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un551501.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un551501.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk127989.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk127989.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un551501.exe
| MD5 | ba42326114f1cf5c2badf2cf66081335 |
| SHA1 | b0e47a35d94655242e2fcc2663b98e4809dacdcf |
| SHA256 | b9a293d28f7fcec9ef166f61dccde27aaef0e033a10970498d2c978149241be8 |
| SHA512 | 3fd8c4d98bb8c9f93bb1d6e9a1f02891ef8671a138ae5bd13934ed7dbae4bf8c792ae639c504f5f18ebef48f35216c74303af76f3167ebc438bd7af600bbf0d2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79785261.exe
| MD5 | fa01f9d8c2d04fe93233f7120dd55fdb |
| SHA1 | 2724e1a50e40a1ff24c7b8a5c41e267247cd8e5e |
| SHA256 | 0ea942f39a7b594fd6e5d33865f9c090951c874287a622d27d72bf6ac582e706 |
| SHA512 | 00c6eafad70dd8028af18929ae1f1aadbfdd45c8d2963485e45b5fa810f1d08cdaecd8b3901290b994545e8b8a157ee65aaf89a11b69141c983360b7684f9899 |
memory/764-15-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/764-16-0x00000000008F0000-0x000000000091D000-memory.dmp
memory/764-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/764-18-0x0000000000400000-0x0000000000803000-memory.dmp
memory/764-19-0x00000000024B0000-0x00000000024CA000-memory.dmp
memory/764-20-0x0000000004FA0000-0x0000000005544000-memory.dmp
memory/764-21-0x00000000028B0000-0x00000000028C8000-memory.dmp
memory/764-22-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-49-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-45-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-44-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-41-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-47-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-39-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-37-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-35-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-34-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-31-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-29-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-27-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-26-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-23-0x00000000028B0000-0x00000000028C2000-memory.dmp
memory/764-50-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/764-51-0x00000000008F0000-0x000000000091D000-memory.dmp
memory/764-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/764-56-0x0000000000400000-0x0000000000430000-memory.dmp
memory/764-55-0x0000000000400000-0x0000000000803000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk127989.exe
| MD5 | 15e43842ef4f704e5b963ab2652a7199 |
| SHA1 | 5951b12fcf8b1dea046b68b2be0e59f1ba99753d |
| SHA256 | 8165422265d5c11b0b98c1e55deb0266432e1c5fa7905495346b15e9e1604000 |
| SHA512 | 32f137926119df36b5c2a4c2323264453a3206e94082738fa9f1a7182458089d14e84a13aaf89ec455ed53cf6b015f4604d18b75b1af0c16934c39b3c8d06467 |
memory/1048-61-0x00000000028F0000-0x000000000292C000-memory.dmp
memory/1048-62-0x0000000004E40000-0x0000000004E7A000-memory.dmp
memory/1048-74-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-68-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-66-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-64-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-63-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-80-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-96-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-94-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-92-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-90-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-86-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-84-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-82-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-78-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-76-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-72-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-70-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-88-0x0000000004E40000-0x0000000004E75000-memory.dmp
memory/1048-855-0x0000000007900000-0x0000000007F18000-memory.dmp
memory/1048-856-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/1048-857-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/1048-858-0x00000000080E0000-0x000000000811C000-memory.dmp
memory/1048-859-0x00000000026F0000-0x000000000273C000-memory.dmp