Analysis Overview
SHA256
0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0
Threat Level: Known bad
The file 0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0 was found to be: Known bad.
Malicious Activity Summary
Healer family
Detects Healer an antivirus disabler dropper
RedLine payload
RedLine
Redline family
Modifies Windows Defender Real-time Protection settings
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:54
Reported
2024-11-10 02:57
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe
"C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe
| MD5 | f95ee13870f27cf895da55f023221d88 |
| SHA1 | 9a8f7677a97d2a01ab5a1517adb4a00a46d9a7aa |
| SHA256 | ed0a320a9091d45db495093f14471920a0ad0ed0c865c07589763b0030b2e186 |
| SHA512 | 21550721171e2b4f8859deb2a10af231d345d5b811a77cf079ef19dd1cd30f029957efe5473a90261f28ae1104962153dd13aa3f5b49b507799b9020a3a8c7da |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe
| MD5 | f31eb988eed11f422fd60a79159a8de8 |
| SHA1 | 3dbcba5e4ac3b9b819fbd99193ec264cd451720d |
| SHA256 | 111ca55a1c933ae03d9f9669ef80e61c8c696046ddbbc3be7b3582c1b5af5bfc |
| SHA512 | d17543fff035e7c5a39bf2a73783c2082715e199c2737eca3b186b3b6752b5d080f2866531abac54690cbe596e45e1a14e9274d252a43c6a6d2e76ebe321b3b7 |
memory/2840-14-0x00000000742FE000-0x00000000742FF000-memory.dmp
memory/2840-15-0x00000000049F0000-0x0000000004A0A000-memory.dmp
memory/2840-16-0x00000000742F0000-0x0000000074AA0000-memory.dmp
memory/2840-18-0x0000000005080000-0x0000000005098000-memory.dmp
memory/2840-17-0x0000000004A80000-0x0000000005024000-memory.dmp
memory/2840-19-0x00000000742F0000-0x0000000074AA0000-memory.dmp
memory/2840-20-0x00000000742F0000-0x0000000074AA0000-memory.dmp
memory/2840-47-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-48-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-44-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-42-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-40-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-38-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-36-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-34-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-32-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-30-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-28-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-26-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-24-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-22-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-21-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2840-49-0x00000000742FE000-0x00000000742FF000-memory.dmp
memory/2840-50-0x00000000742F0000-0x0000000074AA0000-memory.dmp
memory/2840-52-0x00000000742F0000-0x0000000074AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe
| MD5 | 9ecb4e5c1a46845735072d9652047d4d |
| SHA1 | 71d75ad8b1be178faa4c0122024819de90143aa6 |
| SHA256 | 0322fcdcbdd91a7dd063d718cbcaa2603cc43fa5f115c2e30d0537a7dc4c5dfa |
| SHA512 | 9f93fc61dec0d24207f9d938bab159fb0863d54e42a90b1fa7c78e750d3fe7ed8369f7f34404c248dec8867b3fa9ba5f64b56475526ca8c07c995088029efc01 |
memory/4872-56-0x00000000002E0000-0x000000000030E000-memory.dmp
memory/4872-57-0x0000000004AC0000-0x0000000004AC6000-memory.dmp
memory/4872-58-0x000000000A710000-0x000000000AD28000-memory.dmp
memory/4872-59-0x000000000A290000-0x000000000A39A000-memory.dmp
memory/4872-60-0x000000000A1C0000-0x000000000A1D2000-memory.dmp
memory/4872-61-0x000000000A220000-0x000000000A25C000-memory.dmp
memory/4872-62-0x0000000002450000-0x000000000249C000-memory.dmp