Analysis Overview
SHA256
3f0856bfc82db36fd7f58e72b21946c7bfe16d40dcaec19e0fb95d1d8e7dfe6a
Threat Level: Known bad
The file 3f0856bfc82db36fd7f58e72b21946c7bfe16d40dcaec19e0fb95d1d8e7dfe6aN.exe was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Healer
RedLine
Redline family
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:37
Reported
2024-11-13 15:39
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
119s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSY8151rj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57aN13oA46.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3f0856bfc82db36fd7f58e72b21946c7bfe16d40dcaec19e0fb95d1d8e7dfe6aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSY8151rj.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f0856bfc82db36fd7f58e72b21946c7bfe16d40dcaec19e0fb95d1d8e7dfe6aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSY8151rj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57aN13oA46.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57aN13oA46.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f0856bfc82db36fd7f58e72b21946c7bfe16d40dcaec19e0fb95d1d8e7dfe6aN.exe
"C:\Users\Admin\AppData\Local\Temp\3f0856bfc82db36fd7f58e72b21946c7bfe16d40dcaec19e0fb95d1d8e7dfe6aN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSY8151rj.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSY8151rj.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57aN13oA46.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57aN13oA46.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSY8151rj.exe
| MD5 | e42f0e6f4b9a8a9fe9fb00225e238d9c |
| SHA1 | 2546f332cbf1a04c51d737307bf8b9b3db854869 |
| SHA256 | 04b067d18f6b397e3d3bfc95fd78269cd77a2f17c34a8d7c3f9512fffee98617 |
| SHA512 | 3d239fbac528d2568bd7983363777c6d960c9707e9b315ddbe57e87dab77948b1af8aefed20a9d9dfb49f158ace0575451a58a598671c0d00b18c67a4c2e0050 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf59ts72sB19.exe
| MD5 | 15a15134f3a6e55f7b03639811cc71b7 |
| SHA1 | 1cc154fcd448833a63affb9403195c46a1324bdf |
| SHA256 | 2c85db1034a9d1211a4fd37b5496ed3c0e19d4a5bb5e2578ac1072d5bae1df12 |
| SHA512 | d7ebbb60f2c9cf5e8a5345ef76b64386eba5cbaacef92d3ae9aac34fcd0ea02614d30fa233c4943d7cefaf04c2f7b7b5026e33bb16f6f23c2a20cb23bfee007f |
memory/3768-14-0x00007FFBC4883000-0x00007FFBC4885000-memory.dmp
memory/3768-15-0x0000000000260000-0x000000000026A000-memory.dmp
memory/3768-16-0x00007FFBC4883000-0x00007FFBC4885000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57aN13oA46.exe
| MD5 | 434e2d5a4767741895ef183a448da368 |
| SHA1 | 1e1d795ae169d4068d8da31d1aa89027804a21a3 |
| SHA256 | ad32f3b0b1f7b775e4235d6969f27886cc2fafeeb1bd02853fde41ddee1db27a |
| SHA512 | e50de394d28557d67ae62bba669dacf8afcc1c925cfd04dcbf07f14ff2c7939579d12337cc8ed822c82bdfcbfcd1114289eede2411113a17c8f92485a15e50f0 |
memory/2688-22-0x00000000027C0000-0x0000000002806000-memory.dmp
memory/2688-23-0x0000000004CB0000-0x0000000005254000-memory.dmp
memory/2688-24-0x0000000004BA0000-0x0000000004BE4000-memory.dmp
memory/2688-36-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-42-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-88-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-84-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-78-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-76-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-74-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-72-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-70-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-68-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-66-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-62-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-60-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-58-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-56-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-54-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-52-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-50-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-48-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-44-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-40-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-38-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-34-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-32-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-31-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-87-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-82-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-80-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-64-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-46-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-28-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-26-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-25-0x0000000004BA0000-0x0000000004BDE000-memory.dmp
memory/2688-931-0x0000000005260000-0x0000000005878000-memory.dmp
memory/2688-932-0x0000000005880000-0x000000000598A000-memory.dmp
memory/2688-933-0x00000000059C0000-0x00000000059D2000-memory.dmp
memory/2688-934-0x00000000059E0000-0x0000000005A1C000-memory.dmp
memory/2688-935-0x0000000005B30000-0x0000000005B7C000-memory.dmp