Analysis Overview
SHA256
b9ed05ae790a1750b1c21cfd911dc0b46ecf1e5716c8721c23c007316fa7f2b8
Threat Level: Known bad
The file b9ed05ae790a1750b1c21cfd911dc0b46ecf1e5716c8721c23c007316fa7f2b8 was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:57
Reported
2024-11-10 02:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588297.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8824.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b9ed05ae790a1750b1c21cfd911dc0b46ecf1e5716c8721c23c007316fa7f2b8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588297.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9ed05ae790a1750b1c21cfd911dc0b46ecf1e5716c8721c23c007316fa7f2b8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588297.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8824.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8824.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b9ed05ae790a1750b1c21cfd911dc0b46ecf1e5716c8721c23c007316fa7f2b8.exe
"C:\Users\Admin\AppData\Local\Temp\b9ed05ae790a1750b1c21cfd911dc0b46ecf1e5716c8721c23c007316fa7f2b8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588297.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588297.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8824.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8824.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un588297.exe
| MD5 | cc26998aea077b03bb79330fb90e43e7 |
| SHA1 | b6dc4e220b630184db1d4ba60c6df8d3db928f78 |
| SHA256 | f10711c3f4d5228c2532337327acef2d1a8e6ac966209732f8a0b592d0676bba |
| SHA512 | 21a86c906874ccb28e72af49d34b066306ae2ec1348d96f9cf5b845adf9b00cb744965a31a66db4aa6e7118839a200a45504353c26eb0fd04ac7fa07c08ad12a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe
| MD5 | b3f9599696b7591c3ad085e4cc76a1e6 |
| SHA1 | f5427e6c499d0ed10be3dceb14ba60774561c231 |
| SHA256 | e4a9506564fd2e85d785ddc2cf35edc813d72632862c8a13c5dd3eb07888e610 |
| SHA512 | db1a86a3d42e12b0dbbdb049385229575216a0c05762a061af442323c5285c4d856b4631da5e8e52a3492bc9d036c4e06104e360d2551c7cb205cff2632dc4be |
memory/4092-15-0x0000000002BB0000-0x0000000002CB0000-memory.dmp
memory/4092-16-0x0000000002B80000-0x0000000002BAD000-memory.dmp
memory/4092-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4092-18-0x0000000004960000-0x000000000497A000-memory.dmp
memory/4092-19-0x0000000007270000-0x0000000007814000-memory.dmp
memory/4092-20-0x0000000004DA0000-0x0000000004DB8000-memory.dmp
memory/4092-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-44-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-48-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-42-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-40-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-38-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-36-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-34-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-32-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-30-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-28-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-24-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-21-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/4092-49-0x0000000002BB0000-0x0000000002CB0000-memory.dmp
memory/4092-50-0x0000000002B80000-0x0000000002BAD000-memory.dmp
memory/4092-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4092-51-0x0000000000400000-0x0000000002B73000-memory.dmp
memory/4092-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8824.exe
| MD5 | 9e5970d1eb276a2b8003291784949327 |
| SHA1 | aa384c1d125516ead7b6f0c733a8e65bfef5377d |
| SHA256 | 5f2b09a2a9de086df53843c9fe1c51dcd61dedebf1c99078f301c619aab07106 |
| SHA512 | 041337bf27b93c180e75433f46cb3e68338ea3f164c4ed33d02be5a3bc29ea91344e6963d68039004a531ac345d81950e603802c7d1be5df03d0379b4344e3d6 |
memory/4092-54-0x0000000000400000-0x0000000002B73000-memory.dmp
memory/1652-60-0x0000000004A40000-0x0000000004A86000-memory.dmp
memory/1652-61-0x0000000007750000-0x0000000007794000-memory.dmp
memory/1652-75-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-96-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-93-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-91-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-89-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-87-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-85-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-83-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-81-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-79-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-77-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-73-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-71-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-69-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-67-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-65-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-63-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-62-0x0000000007750000-0x000000000778F000-memory.dmp
memory/1652-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp
memory/1652-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp
memory/1652-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/1652-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/1652-972-0x0000000008110000-0x000000000815C000-memory.dmp