Analysis Overview
SHA256
df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db
Threat Level: Known bad
The file df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe was found to be: Known bad.
Malicious Activity Summary
Healer family
Detects Healer an antivirus disabler dropper
RedLine payload
Healer
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:08
Reported
2024-11-13 19:10
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe
"C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 184 -ip 184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe
| MD5 | c960d9f6dcbcbb2ec6af63de44aa24d4 |
| SHA1 | c16bafa3a623c0be19548be347114ba329805322 |
| SHA256 | e1192dced232862951c22748d29247c875a836abfd0e0b8b55fea7f0422dabee |
| SHA512 | 4fb59c3af6d0653aeb0709043820805e1814df3813f87dc8a2d4c9f349cd51dc9a945efc82c58d218623114b7528cae10d9cf97f9330639f56ffd7cb9d87a872 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe
| MD5 | 37d09084855f9f81ccb04e4a706878bd |
| SHA1 | 800d5a2c3f355efcd494a27b12b81034a36b02f6 |
| SHA256 | 6fe7a8c81d0c5cea2f7a127b30d5814a52d8dfeb37e9dcedb3f407614938ad23 |
| SHA512 | 50d2d67a47895612ab9e40b7dd00413d456c25fca72fa14b9513f86070e9cf38b5a6a7491f706d450b326546a3b46b26c5f046cedcbcc9948d80e383ef574e2f |
memory/184-15-0x0000000000A30000-0x0000000000B30000-memory.dmp
memory/184-17-0x0000000000400000-0x000000000070C000-memory.dmp
memory/184-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/184-18-0x0000000000400000-0x000000000070C000-memory.dmp
memory/184-19-0x0000000000A00000-0x0000000000A1A000-memory.dmp
memory/184-20-0x0000000005100000-0x00000000056A4000-memory.dmp
memory/184-21-0x00000000022E0000-0x00000000022F8000-memory.dmp
memory/184-49-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-47-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-45-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-43-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-41-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-39-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-37-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-35-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-33-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-31-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-29-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-27-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-25-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-23-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-22-0x00000000022E0000-0x00000000022F2000-memory.dmp
memory/184-50-0x0000000000A30000-0x0000000000B30000-memory.dmp
memory/184-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/184-53-0x0000000000400000-0x000000000070C000-memory.dmp
memory/184-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe
| MD5 | 92f5f0c9b0fc35b645ebc6870b7b0de3 |
| SHA1 | ee237a40508fa1f2f693ad490b7016f600d6ccbb |
| SHA256 | be23e631366f6ec3b80e98de2c882934ea15241feedb0465454966c707958847 |
| SHA512 | 2a359a9e97af530ad5c8b36736ebc10310f9cadff347cd5c7a87af4d92635c6d2d073b8be97fb4800d92d0acecc237911ab7d556126c40902358100c397a5895 |
memory/3584-60-0x0000000004C50000-0x0000000004C96000-memory.dmp
memory/3584-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp
memory/3584-65-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-73-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-95-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-91-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-89-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-87-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-85-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-83-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-81-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-79-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-77-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-75-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-71-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-69-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-67-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-93-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-63-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-62-0x0000000004CF0000-0x0000000004D2E000-memory.dmp
memory/3584-968-0x0000000005350000-0x0000000005968000-memory.dmp
memory/3584-969-0x00000000059F0000-0x0000000005AFA000-memory.dmp
memory/3584-970-0x0000000005B30000-0x0000000005B42000-memory.dmp
memory/3584-971-0x0000000005B50000-0x0000000005B8C000-memory.dmp
memory/3584-972-0x0000000005CA0000-0x0000000005CEC000-memory.dmp