Analysis Overview
SHA256
659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a
Threat Level: Known bad
The file 659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Healer family
RedLine
RedLine payload
Redline family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:59
Reported
2024-11-11 06:02
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3412 set thread context of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe
"C:\Users\Admin\AppData\Local\Temp\659ed428114d2a8cf1b492c95a46b371b1531c5acc0257cec4acc0b7aa1a671a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221871.exe
| MD5 | fa595d02a1e12f6f29917f91827478f0 |
| SHA1 | 2235843fec1799a7274bd8f361cf1fbb300a4307 |
| SHA256 | 829f24d7351a56ef7eba4bfb13c9ec6fc1775b4ed17ba70422ec0e420dcd5059 |
| SHA512 | dc44dcc2a6db23feb6c4bdaf269fd9bf3660277205ac960751237f67fc0122ccec53db3643a90c827ec049c6093390def8f1b2b98977f13de219b60adba6a057 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4485.exe
| MD5 | f1cedcd8d84a9fb0b2859dbbb92c9f70 |
| SHA1 | c31cd91c1fdf62ae91f73c57c6f13ae14cadda93 |
| SHA256 | 9bf9655346b3984e1f5c859c39776318f43d6d21fc38ffae64c6bc732ccca3ec |
| SHA512 | 5926987beb0be1e8e194ff629aa9576c0f971aa8ed41e78dc715c19d9b2c66e742d815ac66a4c3f7db7c325dc047b2b342e690f3da95187380ff0d3df88f1b5a |
memory/3412-15-0x0000000000720000-0x0000000000820000-memory.dmp
memory/3412-16-0x0000000000930000-0x000000000095E000-memory.dmp
memory/3988-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3988-19-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3988-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3988-22-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4678.exe
| MD5 | 881e2f431c396967071e295bb7e71ddb |
| SHA1 | d1fa9aaf59b94cd5d94e0bf09095534fca820410 |
| SHA256 | 2ab6793794f87e49409a65fa75ad3d3c935be3223a5c641aff7ef643dfdb650d |
| SHA512 | 62eaf38b38516ca818518bea1136b387c643d566b9f60bc1f4a8e1ad6e833be2f91c906b661db6cc1ebf7e371da058208074c2fa3f1c1f410de17d29b528afae |
memory/3988-27-0x0000000002290000-0x00000000022AA000-memory.dmp
memory/3988-28-0x0000000004B90000-0x0000000005134000-memory.dmp
memory/3988-29-0x0000000002520000-0x0000000002538000-memory.dmp
memory/336-30-0x0000000004A10000-0x0000000004A56000-memory.dmp
memory/3988-58-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-56-0x0000000002520000-0x0000000002532000-memory.dmp
memory/336-59-0x0000000004A90000-0x0000000004AD4000-memory.dmp
memory/3988-54-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-53-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-50-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-48-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-46-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-44-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-42-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-40-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-38-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-36-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-34-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-32-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3988-31-0x0000000002520000-0x0000000002532000-memory.dmp
memory/336-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-61-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/336-966-0x0000000005190000-0x00000000057A8000-memory.dmp
memory/336-967-0x00000000057B0000-0x00000000058BA000-memory.dmp
memory/336-968-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/336-969-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/336-970-0x0000000005A40000-0x0000000005A8C000-memory.dmp