Analysis Overview
SHA256
a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990
Threat Level: Known bad
The file a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe was found to be: Known bad.
Malicious Activity Summary
Healer
Redline family
Healer family
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:27
Reported
2024-11-13 13:29
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
116s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe
"C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2416 -ip 2416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe
| MD5 | 34757e3987e309cacc2de20c779c8882 |
| SHA1 | 722779fd9fc3c9537f24edf2649a0ffb0f04226e |
| SHA256 | aeecff4baaec1747c853d61dada09816f2c288a1af55c9914699368498a56fbd |
| SHA512 | fb65ca6422adb0c17c642716a021d246edf0e70b3c2c764262a0d52315d314cdfb818a91f6805cce6321daf45fa96b93e762002000e936b71aa476a017a4b5be |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe
| MD5 | 99a158cf8893ed9ba9f95c8a8d305f7e |
| SHA1 | d93e3ec8b044006faf4648bc20550bb9f84206b3 |
| SHA256 | 9fcfc396efbaacf64160dd22e4942aa2113e023c43e0aa5a31fad0183c0602b0 |
| SHA512 | b78c00ef8def2849d36dc37af1cf624e71d2bdf1da71dcb19005dedbe6d4e5b6ae0663a232583c019a976ac903f1d953c7085beab57c64b5266242c7aabf4122 |
memory/2416-15-0x0000000000820000-0x0000000000920000-memory.dmp
memory/2416-16-0x0000000000650000-0x000000000067D000-memory.dmp
memory/2416-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2416-18-0x0000000000400000-0x000000000057E000-memory.dmp
memory/2416-19-0x0000000002200000-0x000000000221A000-memory.dmp
memory/2416-20-0x0000000004C10000-0x00000000051B4000-memory.dmp
memory/2416-21-0x00000000023B0000-0x00000000023C8000-memory.dmp
memory/2416-22-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-23-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-49-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-47-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-45-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-43-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-41-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-39-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-37-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-35-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-33-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-31-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-29-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-27-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-25-0x00000000023B0000-0x00000000023C2000-memory.dmp
memory/2416-50-0x0000000000820000-0x0000000000920000-memory.dmp
memory/2416-51-0x0000000000650000-0x000000000067D000-memory.dmp
memory/2416-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2416-55-0x0000000000400000-0x000000000057E000-memory.dmp
memory/2416-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe
| MD5 | 5219e8f0103dcdc1edfc06a291fa3dc5 |
| SHA1 | 176526bf4ebef1bfcf7cf535ae8707739e8b94ef |
| SHA256 | 79e9c0528a3deef77dc8e379e8d4d889ecabd5cf04e1d6756f92ca55c13f4a7d |
| SHA512 | 445da5e0a94d36dd96da459d028d706ed5067f4b95f30708d44daeeea933f01f42999f51cd1a889a73173e43924b1957e8259834dd5327c3b0d7baf4b1edbbf6 |
memory/4776-61-0x0000000002260000-0x00000000022A6000-memory.dmp
memory/4776-62-0x0000000002560000-0x00000000025A4000-memory.dmp
memory/4776-64-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-76-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-96-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-94-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-92-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-90-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-88-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-86-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-84-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-82-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-78-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-74-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-72-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-70-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-68-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-66-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-80-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-63-0x0000000002560000-0x000000000259E000-memory.dmp
memory/4776-969-0x0000000005280000-0x0000000005898000-memory.dmp
memory/4776-970-0x00000000058A0000-0x00000000059AA000-memory.dmp
memory/4776-971-0x00000000059B0000-0x00000000059C2000-memory.dmp
memory/4776-972-0x00000000059D0000-0x0000000005A0C000-memory.dmp
memory/4776-973-0x0000000005B10000-0x0000000005B5C000-memory.dmp