Analysis Overview
SHA256
befd0ca460bfb5adf544be7a35d3713fd0dfd83f6f41ff2d18e58484fc8f5f87
Threat Level: Known bad
The file befd0ca460bfb5adf544be7a35d3713fd0dfd83f6f41ff2d18e58484fc8f5f87 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:55
Reported
2024-11-11 05:58
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe
"C:\Users\Admin\AppData\Local\Temp\21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe
| MD5 | 3962d03a05b515ae3f939e16d47b0aae |
| SHA1 | e3fc0a6f5eb139319ce9885bb17ad3a3b687eab4 |
| SHA256 | 37bf7c8d53fda05cc721ad9bab5694abe4abd10b839a1b1f256e3eb8bdbc08b8 |
| SHA512 | 49818c2e6dd36e47f842eeb80375c32c016509afb9d9854c69b043ae64893c27ebd703754f241e3eff8458b4edc0c00393d252bf8d0231e7843c18a63b6122d8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe
| MD5 | 71a0f2ad74e9f1e6b4d97d37b332421b |
| SHA1 | 9beac6ca08d9049647cc8c16a465f615766d5971 |
| SHA256 | b03dc861feaef3aae851e0adc086fd19afaaf51255217652319d9abd77cb6662 |
| SHA512 | b183496eb9402d08ba9a8a5913b6e1d24275acae041d7260472839f120c6bc8d13a1e53a4f8dceacf9288b608acc3e35b138c90ef9e34ecc91598dfd71d75ff1 |
memory/3260-14-0x00007FF8025F3000-0x00007FF8025F5000-memory.dmp
memory/3260-15-0x0000000000310000-0x000000000031A000-memory.dmp
memory/3260-16-0x00007FF8025F3000-0x00007FF8025F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe
| MD5 | a1f3354a99b35edf172a95b90afbc9b1 |
| SHA1 | 8b02f77b82ec8b005aacb5bd87f50f6ceee0052f |
| SHA256 | 2565aca55567f1c548f5135c387bdc75999836cb072d0896c040947bef8e852a |
| SHA512 | f189af079f9f9de1861b03a2e15c9dac741929cdb115937973270e9ffbf65e64b2a19ebc277f1f9aa10a42e4f83abed0a5c9bb4bfc86c66102c09575771ef40e |
memory/1100-22-0x00000000022A0000-0x00000000022E6000-memory.dmp
memory/1100-23-0x0000000004BD0000-0x0000000005174000-memory.dmp
memory/1100-24-0x0000000004B70000-0x0000000004BB4000-memory.dmp
memory/1100-80-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-88-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-86-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-84-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-82-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-78-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-76-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-74-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-72-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-70-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-68-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-66-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-62-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-60-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-58-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-56-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-54-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-50-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-48-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-46-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-44-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-42-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-40-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-38-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-36-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-34-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-64-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-52-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-32-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-30-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-28-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-26-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-25-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/1100-931-0x00000000052F0000-0x0000000005908000-memory.dmp
memory/1100-932-0x0000000005990000-0x0000000005A9A000-memory.dmp
memory/1100-933-0x0000000005AD0000-0x0000000005AE2000-memory.dmp
memory/1100-934-0x0000000005AF0000-0x0000000005B2C000-memory.dmp
memory/1100-935-0x0000000005C40000-0x0000000005C8C000-memory.dmp