Analysis Overview
SHA256
255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a
Threat Level: Known bad
The file 255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine
Healer family
Healer
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:54
Reported
2024-11-10 02:57
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe
"C:\Users\Admin\AppData\Local\Temp\255107e224b7a8d681acb23fc33edbb21552100e7ed76b5f454611b553631f4a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| CY | 217.196.96.56:4138 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5955564.exe
| MD5 | 65f527c9b44bb9d628cf0556a4754082 |
| SHA1 | 12e0aeb835ea294555e10c571bbb2a29deccfa84 |
| SHA256 | c9c99ceace153541dbe80c8bc7340222c48d5e13c330bb1514f83e7bc10a69db |
| SHA512 | d81c32a4d7ca3b0fc3bf4f81cd35e6db36d7128c38299bc3c2c44864f6cb1f65e9705549d521c3b9c059bce721cfe539d127d2687cd0bbac9a707ef73874eb30 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6361532.exe
| MD5 | 5602f032b48cc9e9aec542f88b573b0c |
| SHA1 | 71746cdb3eff4792fb923aaf2cef7dbdc0974be0 |
| SHA256 | 0fbbbf192b8440d84d795ea1dcb12812b27159a87a8186f1ef61f2b09eb935e3 |
| SHA512 | 8ed440ce47606a16754ac47dfb0df678dca76840f5696034d44c3a87244ac32bdca3cc15abed653e621215390372c83652f449b0281a66f1167242ad1564bb29 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3616890.exe
| MD5 | 31b2f9bb25e8eb3e9be4ae30bb62a67f |
| SHA1 | 7e6798d68b563d431932d2dbbf4271b75a050d71 |
| SHA256 | eec8dfc2d81eb3165e15e1b68435edc1df8d0d1bb461c97429177679800f84dd |
| SHA512 | a07813cc09c3620c5c15cc83b1fb6c7489f3e9928e7de01ed08ac7db02812857b0779df676fab5037a04a1e7f7a52f053c5a1c84f6acf26ddead6216d438f429 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8211075.exe
| MD5 | d6cbbf0e7b8825ad7f1ca76523164932 |
| SHA1 | c9a058933fb5c82eb88c939aeb2511ddae5afe8a |
| SHA256 | 9e5053b873021bbadf0aefb3f7856736cf0fad1a22c384e1e309bf0794613e17 |
| SHA512 | 1a78e6008ef0f5b43a377dbba082b062135347e338fe991258a3c19f41b0d3f4bcd1c34b968082c3b9923726c6ca3502c61be20a37f4a7de6217fbe06f1507a2 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5573461.exe
| MD5 | 73fec908d143a40b90fdb8ca896138c6 |
| SHA1 | 0a4920659e3bfcb66b212a4bbf29d2146a1317df |
| SHA256 | 300dfbbc361d5a8e864513c7e1ba16cf229194406fc09934907c0b7b1e565728 |
| SHA512 | c7691597e167bae68a30b6fb08fe8d8ea931f8df340d37e58d373afb73448dc1f481e2468115600a525a9770f9030f0fca81a4afdbba2063fc9a0d9f022756a5 |
memory/2520-36-0x0000000002510000-0x000000000252A000-memory.dmp
memory/2520-37-0x0000000004E20000-0x00000000053C4000-memory.dmp
memory/2520-38-0x0000000004CB0000-0x0000000004CC8000-memory.dmp
memory/2520-56-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-58-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-66-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-64-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-62-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-60-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-54-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-52-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-50-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-39-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2520-67-0x0000000000400000-0x00000000006F4000-memory.dmp
memory/2520-69-0x0000000000400000-0x00000000006F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9958931.exe
| MD5 | 92462f6f89e9dc09eca7879f1aec04d4 |
| SHA1 | 64606f1fc42c6dae23593d7c3c580de32fa1dd4c |
| SHA256 | 5d8c880d18a819d70a4c2a4133e55259834afc0265694c5231fe4745c10f5cbf |
| SHA512 | 0e0eb7b7e55e8cc7f1be302638e117c5cb3a343dab3b1413cd536eee7dd947531187d8648cd6c501693bc186598a31326298a785f22c5b6f7487f10f341561c9 |
memory/1696-73-0x0000000000E10000-0x0000000000E40000-memory.dmp
memory/1696-74-0x00000000030C0000-0x00000000030C6000-memory.dmp
memory/1696-75-0x0000000005E90000-0x00000000064A8000-memory.dmp
memory/1696-76-0x00000000059A0000-0x0000000005AAA000-memory.dmp
memory/1696-77-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/1696-78-0x0000000005930000-0x000000000596C000-memory.dmp
memory/1696-79-0x0000000005AB0000-0x0000000005AFC000-memory.dmp