Analysis Overview
SHA256
136c893af9ca0ff250c4d5cfc022c4f0976641a83fdf4e00a6e9cbba7c7424b7
Threat Level: Known bad
The file 136c893af9ca0ff250c4d5cfc022c4f0976641a83fdf4e00a6e9cbba7c7424b7 was found to be: Known bad.
Malicious Activity Summary
Healer
Redline family
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 19:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 19:49
Reported
2024-11-12 19:52
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu929858.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\136c893af9ca0ff250c4d5cfc022c4f0976641a83fdf4e00a6e9cbba7c7424b7.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\136c893af9ca0ff250c4d5cfc022c4f0976641a83fdf4e00a6e9cbba7c7424b7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu929858.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu929858.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\136c893af9ca0ff250c4d5cfc022c4f0976641a83fdf4e00a6e9cbba7c7424b7.exe
"C:\Users\Admin\AppData\Local\Temp\136c893af9ca0ff250c4d5cfc022c4f0976641a83fdf4e00a6e9cbba7c7424b7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3336 -ip 3336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu929858.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu929858.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr781767.exe
| MD5 | 6f54e55bf2ad08d53e631417b1bb9734 |
| SHA1 | 1f091f2bfd33a385f5739367d25d5fe02531a7a9 |
| SHA256 | ba32d1f29a4a48627697b4ee34fa0f3b4e0d024f9694689d3b14499ce73ceef3 |
| SHA512 | a239408e59287a9baf84606c4bc54730e5a75235a474ec1513a9da1014d64e6bf5861f8b8e949df94fb9b8c03b3705b00040a39989a6654c5611db3b32ba7a38 |
memory/3336-8-0x0000000002F00000-0x0000000003000000-memory.dmp
memory/3336-9-0x0000000002C90000-0x0000000002CBD000-memory.dmp
memory/3336-10-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3336-11-0x0000000004C80000-0x0000000004C9A000-memory.dmp
memory/3336-12-0x0000000007200000-0x00000000077A4000-memory.dmp
memory/3336-13-0x0000000004CB0000-0x0000000004CC8000-memory.dmp
memory/3336-14-0x0000000000400000-0x0000000002BB1000-memory.dmp
memory/3336-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-36-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-34-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-32-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-30-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-28-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-26-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-24-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-22-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-20-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-18-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-16-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-15-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/3336-43-0x0000000002F00000-0x0000000003000000-memory.dmp
memory/3336-44-0x0000000002C90000-0x0000000002CBD000-memory.dmp
memory/3336-46-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3336-49-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3336-50-0x0000000000400000-0x0000000002BB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu929858.exe
| MD5 | 4efc59cdd4e1525983816aecaed824f1 |
| SHA1 | 69384686e4d33ce8d7cd90a25651d3fd2bfb0393 |
| SHA256 | e285fd7212da4fc21fac939e4590d430e3e97ceda0729dbfb6eac9068a50bc3b |
| SHA512 | 66e15cff56435431fb2877b11883c7e1ad0cc9d80a87b4de141b65b495be48e449589f1bc2ff06ccbb17d9eed120f10abdfa48958520e2b03572bcbfff9d9b1c |
memory/2800-55-0x00000000049C0000-0x00000000049FC000-memory.dmp
memory/2800-56-0x0000000004B90000-0x0000000004BCA000-memory.dmp
memory/2800-66-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-74-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-90-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-88-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-86-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-849-0x0000000009D80000-0x000000000A398000-memory.dmp
memory/2800-851-0x000000000A3A0000-0x000000000A4AA000-memory.dmp
memory/2800-852-0x000000000A4B0000-0x000000000A4EC000-memory.dmp
memory/2800-850-0x00000000072F0000-0x0000000007302000-memory.dmp
memory/2800-82-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-853-0x0000000004DB0000-0x0000000004DFC000-memory.dmp
memory/2800-80-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-78-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-72-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-70-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-68-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-64-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-84-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-76-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-62-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-60-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-58-0x0000000004B90000-0x0000000004BC5000-memory.dmp
memory/2800-57-0x0000000004B90000-0x0000000004BC5000-memory.dmp