Analysis Overview
SHA256
0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700
Threat Level: Known bad
The file 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:47
Reported
2024-11-11 06:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe
"C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe
| MD5 | 7db1ac7c2f9d84fe7b11df33d9b65259 |
| SHA1 | ff41dfc211fbf4239dda95c705e6d479006cb402 |
| SHA256 | a81fdc3be528b464d464b74542d690ecd502ac503788c495c1c60f5526a192cd |
| SHA512 | 6b348156e4965a082e812ea952f5d68ddb1afb7be14c6b33facf580ece1a73a352a20a5f58f13456b748edee6a9c73ebb130ac9f704cf99374e2a72c00d2bd59 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe
| MD5 | b425b4a9f016d95cddc22b8e6543deb6 |
| SHA1 | a0b49db5b5e17a8add44d3b3eeb3fdab03659858 |
| SHA256 | 6ffb2299ae539c576f6ba0cdbad6062151aa0745c720f3ff39ab123cf802c313 |
| SHA512 | 302d06fab11fb6ad2a5ca233c782b3cffeba3c5ace9ceef68cb0d081ada79113ca88a21cdf1e4230c23164cbf67d88da2f40b2e5662e62d1ae31722ab8b88b21 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe
| MD5 | fa5c4cc610eb9b882dd49d57c91e856f |
| SHA1 | 169442ac3feb1988ff88b9e5dfbbb1ff634f6ad3 |
| SHA256 | dfab72691cbfd39913f7694be89071b3dc98c1873b95855b42c1f1191fca1ccb |
| SHA512 | 4d84ad07e051c84305194f086c9358f21b1615f78cd5c6a64d4e3cb69cf7f27336d6cea7027eaad2ad96e9b96f78378a9038df62053099dfa6b97608c4a75513 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe
| MD5 | cdfb76668c1a0de0e545275331661b73 |
| SHA1 | 7b96af1982fd27323468a5f74345c2de046a734a |
| SHA256 | 0dea7ae46714df770e3674c6ae78f5f93abe886b0b45f0df02cfd694e356a415 |
| SHA512 | bb5cdeff4fe687f746b63203b0e15ed6ce97dc6c8731640458d4872dbd9271573c9f21de46511dd019b75373546acd989ab76c34d4fd2ba4d5059138097e01f6 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe
| MD5 | 0e70e336b50840a9ddc7817fc0caf63b |
| SHA1 | 1666ebb4448cecb7a21f32b340441878f1fb720e |
| SHA256 | 0b96476ad431e92c5e7121f2d6cfae50d05f5eef14ba878f0d9550567e15ad70 |
| SHA512 | 0c7b5b78575005bf600f069eca4e570f8b2b00f24b8594ea1032c1c77b7a8c03c11acc5dbcd8d2fc39775db020363696de8033a9fccf020a9ac8d7f36dad376e |
memory/4196-35-0x00000000049F0000-0x0000000004A0A000-memory.dmp
memory/4196-36-0x0000000004AD0000-0x0000000005074000-memory.dmp
memory/4196-37-0x0000000005080000-0x0000000005098000-memory.dmp
memory/4196-63-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-61-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-59-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-57-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-55-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-65-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-47-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-45-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-43-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-41-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-39-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-53-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-51-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-49-0x0000000005080000-0x0000000005093000-memory.dmp
memory/4196-38-0x0000000005080000-0x0000000005093000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe
| MD5 | fb50afd3a9e83d1ce7932914cf8e3534 |
| SHA1 | fd996173a34c311485b4a9671d6fde3392ae2843 |
| SHA256 | 498842af0fbff25318307ae68f5e0afbd2dc067e37d871b8dd5834592a36c720 |
| SHA512 | f0efa77feb8bb33c556b61d20e3598ed1271366b587ff449de3455a544b9bd2673548a4ccc5e87164a7c47001b7ecd2ae353ec507ef10794fdb2bee26513f6ab |
memory/4944-70-0x00000000008C0000-0x00000000008F0000-memory.dmp
memory/4944-71-0x0000000002AF0000-0x0000000002AF6000-memory.dmp
memory/4944-72-0x000000000AD50000-0x000000000B368000-memory.dmp
memory/4944-73-0x000000000A870000-0x000000000A97A000-memory.dmp
memory/4944-74-0x000000000A7A0000-0x000000000A7B2000-memory.dmp
memory/4944-75-0x000000000A800000-0x000000000A83C000-memory.dmp
memory/4944-76-0x0000000004C30000-0x0000000004C7C000-memory.dmp