Analysis Overview
SHA256
0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0
Threat Level: Known bad
The file 0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Redline family
Healer family
Healer
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:58
Reported
2024-11-10 03:00
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe
"C:\Users\Admin\AppData\Local\Temp\0edd92f99b8e37f70e51cbb215e88a88065ea0f690d0f0da9534bcb026eec3a0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2137351.exe
| MD5 | f95ee13870f27cf895da55f023221d88 |
| SHA1 | 9a8f7677a97d2a01ab5a1517adb4a00a46d9a7aa |
| SHA256 | ed0a320a9091d45db495093f14471920a0ad0ed0c865c07589763b0030b2e186 |
| SHA512 | 21550721171e2b4f8859deb2a10af231d345d5b811a77cf079ef19dd1cd30f029957efe5473a90261f28ae1104962153dd13aa3f5b49b507799b9020a3a8c7da |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2871121.exe
| MD5 | f31eb988eed11f422fd60a79159a8de8 |
| SHA1 | 3dbcba5e4ac3b9b819fbd99193ec264cd451720d |
| SHA256 | 111ca55a1c933ae03d9f9669ef80e61c8c696046ddbbc3be7b3582c1b5af5bfc |
| SHA512 | d17543fff035e7c5a39bf2a73783c2082715e199c2737eca3b186b3b6752b5d080f2866531abac54690cbe596e45e1a14e9274d252a43c6a6d2e76ebe321b3b7 |
memory/4020-14-0x00007FF896D30000-0x00007FF896F25000-memory.dmp
memory/4020-15-0x0000000002480000-0x000000000249A000-memory.dmp
memory/4020-16-0x00007FF896D30000-0x00007FF896F25000-memory.dmp
memory/4020-17-0x0000000004950000-0x0000000004EF4000-memory.dmp
memory/4020-18-0x0000000004F40000-0x0000000004F58000-memory.dmp
memory/4020-46-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-44-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-42-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-40-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-38-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-36-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-35-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-32-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-30-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-28-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-26-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-24-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-22-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-20-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/4020-19-0x0000000004F40000-0x0000000004F52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3171284.exe
| MD5 | 9ecb4e5c1a46845735072d9652047d4d |
| SHA1 | 71d75ad8b1be178faa4c0122024819de90143aa6 |
| SHA256 | 0322fcdcbdd91a7dd063d718cbcaa2603cc43fa5f115c2e30d0537a7dc4c5dfa |
| SHA512 | 9f93fc61dec0d24207f9d938bab159fb0863d54e42a90b1fa7c78e750d3fe7ed8369f7f34404c248dec8867b3fa9ba5f64b56475526ca8c07c995088029efc01 |
memory/2796-51-0x00000000003F0000-0x000000000041E000-memory.dmp
memory/2796-52-0x0000000004A90000-0x0000000004A96000-memory.dmp
memory/2796-53-0x0000000005330000-0x0000000005948000-memory.dmp
memory/2796-54-0x0000000004E40000-0x0000000004F4A000-memory.dmp
memory/2796-55-0x0000000004D70000-0x0000000004D82000-memory.dmp
memory/2796-56-0x0000000004DD0000-0x0000000004E0C000-memory.dmp
memory/2796-57-0x0000000004F50000-0x0000000004F9C000-memory.dmp