Analysis Overview
SHA256
44f61c26dd0341833cb0ef8f954b80d0c24b688c7c49b5946376d68858be54d5
Threat Level: Known bad
The file 44f61c26dd0341833cb0ef8f954b80d0c24b688c7c49b5946376d68858be54d5 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer family
Redline family
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:54
Reported
2024-11-11 05:57
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vao2063gy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tjz36Ma71.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\44f61c26dd0341833cb0ef8f954b80d0c24b688c7c49b5946376d68858be54d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vao2063gy.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44f61c26dd0341833cb0ef8f954b80d0c24b688c7c49b5946376d68858be54d5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vao2063gy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tjz36Ma71.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tjz36Ma71.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\44f61c26dd0341833cb0ef8f954b80d0c24b688c7c49b5946376d68858be54d5.exe
"C:\Users\Admin\AppData\Local\Temp\44f61c26dd0341833cb0ef8f954b80d0c24b688c7c49b5946376d68858be54d5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vao2063gy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vao2063gy.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tjz36Ma71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tjz36Ma71.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vao2063gy.exe
| MD5 | f01f75f093e4ad59a1fc1f76d2429ce1 |
| SHA1 | 377f06bc887a632c3061c6b3bed2f3fc15bd7dac |
| SHA256 | 22680ba56b520e91fffd42624e313e560590803670a76a7d5c3b74de1ba37dde |
| SHA512 | bce7a21fbcfcd8a1b13dc328f22c9cde983fed1fe92ec51c87afbf25a408e9bd86f485872a5d208002e5d6c5d5d950a6bc2c043528a23a0b87b275bf90f2f88c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw57sZ35IK53.exe
| MD5 | c06e8fc8b2b9f21084980b8621f9a46d |
| SHA1 | 94ad6eb6c6b4942d35314e46aff6aea303578157 |
| SHA256 | 10674d484ac908a7542e17cea589cc2b7d2900eaf178097605e56e3209c83d69 |
| SHA512 | 1a34cd3d09de7a33c69490ff72c3e9032004d4f74996181fbbdff1650fe0a86f2619c4f16be981e135c20d21eac5d2474ed76263f4a122971ea9bf5399aea280 |
memory/3124-14-0x00007FFE63BE3000-0x00007FFE63BE5000-memory.dmp
memory/3124-15-0x0000000000D90000-0x0000000000D9A000-memory.dmp
memory/3124-16-0x00007FFE63BE3000-0x00007FFE63BE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tjz36Ma71.exe
| MD5 | 049b7e9c3b3777fd130ad01127cd8268 |
| SHA1 | 7f56ea5b4e7029a2da226d899ddfce99ff960e0f |
| SHA256 | aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68 |
| SHA512 | d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1 |
memory/2552-22-0x0000000004BE0000-0x0000000004C26000-memory.dmp
memory/2552-23-0x0000000007340000-0x00000000078E4000-memory.dmp
memory/2552-24-0x0000000004E40000-0x0000000004E84000-memory.dmp
memory/2552-28-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-48-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-88-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-86-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-82-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-80-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-78-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-77-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-74-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-73-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-70-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-68-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-66-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-64-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-62-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-60-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-58-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-56-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-54-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-52-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-46-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-44-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-42-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-40-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-38-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-36-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-34-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-32-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-30-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-84-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-50-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-26-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-25-0x0000000004E40000-0x0000000004E7E000-memory.dmp
memory/2552-931-0x00000000078F0000-0x0000000007F08000-memory.dmp
memory/2552-932-0x0000000007F10000-0x000000000801A000-memory.dmp
memory/2552-933-0x0000000004FA0000-0x0000000004FB2000-memory.dmp
memory/2552-934-0x0000000008020000-0x000000000805C000-memory.dmp
memory/2552-935-0x0000000008160000-0x00000000081AC000-memory.dmp