Analysis Overview
SHA256
bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa
Threat Level: Known bad
The file bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
Healer
Redline family
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:23
Reported
2024-11-13 14:25
Platform
win10v2004-20241007-en
Max time kernel
112s
Max time network
118s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe
"C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4828 -ip 4828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.30:4125 | tcp | |
| RU | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.30:4125 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.30:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe
| MD5 | 3744dc1c16a6bf37e9e81d386fe47b4f |
| SHA1 | 26b97a47ddfe38146732aa39a857f5e0cbcb939b |
| SHA256 | 42a027b92547cec6efc95c77ecbc9d9e21049555a09311274c0f693c859b08dc |
| SHA512 | 3625e1ffa589990c5246fb286eeef7ea699d9f4d55e91003fe8e650da75289fec75d7f1bd65680b7c59b7149873f1805127a1eb9d82f2063f2b275a7389b298d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4548-14-0x00007FFD8CF83000-0x00007FFD8CF85000-memory.dmp
memory/4548-15-0x0000000000930000-0x000000000093A000-memory.dmp
memory/4548-16-0x00007FFD8CF83000-0x00007FFD8CF85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe
| MD5 | 5623a47dd34a0b50e1e3c816d5e01ea6 |
| SHA1 | a6be6352b43c5c439e5aba50546e1956693290e5 |
| SHA256 | 5c465687bf69197e08fc0b96d99a9ba12ca4eb168d797270f956b06b24f5b110 |
| SHA512 | 208789d81db4aafd823fafbf4c4f8573d7811488be122f47deeb059247c544e1afa8d74ec381c766d879335cd723ea7e5a0875a36bbabc3a19582bc7fa772371 |
memory/4828-22-0x0000000004A80000-0x0000000004A9A000-memory.dmp
memory/4828-23-0x00000000071D0000-0x0000000007774000-memory.dmp
memory/4828-24-0x00000000070A0000-0x00000000070B8000-memory.dmp
memory/4828-48-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-40-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-50-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-52-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-46-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-44-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-42-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-39-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-36-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-34-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-32-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-30-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-28-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-26-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-25-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/4828-53-0x0000000000400000-0x0000000002B03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe
| MD5 | 29f2c48653b526e859ef25de2d174b6d |
| SHA1 | 3af2621c9d396c041d0047e6af8bc622a902ab9e |
| SHA256 | d95fb3656298edd3f962e8e2a001ed2cb78d8f3ae2bc6f7bb45b681e7b19e83d |
| SHA512 | 4fb8981f01a8e423dc6141762d12557d4dcb583fdff724839235ce4418c99927a0fbc738dfbd846d4c36a77862a3b87fe80e934f5991b4060e605c2d99913947 |
memory/4828-55-0x0000000000400000-0x0000000002B03000-memory.dmp
memory/2608-60-0x0000000004A50000-0x0000000004A96000-memory.dmp
memory/2608-61-0x00000000070F0000-0x0000000007134000-memory.dmp
memory/2608-77-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-95-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-93-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-91-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-89-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-87-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-85-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-83-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-81-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-79-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-75-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-73-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-71-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-69-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-67-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-65-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-63-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-62-0x00000000070F0000-0x000000000712E000-memory.dmp
memory/2608-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp
memory/2608-969-0x0000000007DF0000-0x0000000007EFA000-memory.dmp
memory/2608-970-0x0000000007F30000-0x0000000007F42000-memory.dmp
memory/2608-971-0x0000000007F50000-0x0000000007F8C000-memory.dmp
memory/2608-972-0x00000000080A0000-0x00000000080EC000-memory.dmp