Analysis Overview
SHA256
ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057
Threat Level: Known bad
The file ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe was found to be: Known bad.
Malicious Activity Summary
Healer family
Detects Healer an antivirus disabler dropper
Healer
RedLine
Redline family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-26 17:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 17:26
Reported
2024-11-26 17:28
Platform
win10v2004-20241007-en
Max time kernel
104s
Max time network
124s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe
"C:\Users\Admin\AppData\Local\Temp\ae392761f1df9f1aa2494cf504c5156fbbb1298ee9d0602b259fbfc63e7f0057N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2512 -ip 2512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2556 -ip 2556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1180
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki161503.exe
| MD5 | a7d3b6d4df89ebc14203e4c61aa2813a |
| SHA1 | 14e56aa187b9ede93de67d5ad7361094639c2442 |
| SHA256 | 81153ae921e74bae5e00374c897f8091339bf0399b9582e6b2b3d48ce9184138 |
| SHA512 | 087901a4c2f70fc4fcbd881e022b029c5ce5f7881edf69c84dadafc706cfc855013248f4640866817a4cc3c0e595947ac70274f7ef16b9a05071003fb07cadc0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az006846.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4188-14-0x00007FFD13EA3000-0x00007FFD13EA5000-memory.dmp
memory/4188-15-0x00000000005C0000-0x00000000005CA000-memory.dmp
memory/4188-16-0x00007FFD13EA3000-0x00007FFD13EA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bu244991.exe
| MD5 | 8dcc2b4cad499ef09ff99e5872802979 |
| SHA1 | 2ce03ea58a2d64ab502a35f46b945bbe4d5d07f5 |
| SHA256 | 703295c0a45d9b1852f43c4aec6edc92f5f4b56b00c12929fc7db35b721e20ac |
| SHA512 | bd1c6b62c6f4e49adca7be28295c018a06fcc1367b20cabd95f1b545476f509a53f73d6422145daef0a657baaa35d0f6617dcc3aed0b76752f7126998c14cfee |
memory/2512-22-0x0000000002080000-0x000000000209A000-memory.dmp
memory/2512-23-0x0000000004C40000-0x00000000051E4000-memory.dmp
memory/2512-24-0x00000000024F0000-0x0000000002508000-memory.dmp
memory/2512-25-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-34-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-52-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-50-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-48-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-46-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-44-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-42-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-40-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-38-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-36-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-32-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-30-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-28-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-26-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/2512-53-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2512-55-0x0000000000400000-0x00000000004AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cor8709.exe
| MD5 | 92cfee62f6fd650245941f7b4dfc7e31 |
| SHA1 | d680767c772c44534aef7faf24ccb0e48a3dae68 |
| SHA256 | 5552ff3098a104a61691cc1b1440e835bd2280c3e569ed7c99e9e455adc8807b |
| SHA512 | a5ada28765b8ee88cfbd15011483ab4b2eb1ef9c134c36c3cbc2aa2597620cd33afa7be797698a3b9fe3368ba010c42105034d027cc0485a65cc17b026c89522 |
memory/2556-60-0x0000000004BC0000-0x0000000004C28000-memory.dmp
memory/2556-61-0x00000000051E0000-0x0000000005246000-memory.dmp
memory/2556-63-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-81-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-95-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-93-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-91-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-87-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-86-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-83-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-80-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-77-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-75-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-73-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-71-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-69-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-67-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-65-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-89-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-62-0x00000000051E0000-0x0000000005240000-memory.dmp
memory/2556-2204-0x0000000005400000-0x0000000005432000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/6132-2217-0x0000000000870000-0x000000000089E000-memory.dmp
memory/6132-2218-0x0000000004F90000-0x0000000004F96000-memory.dmp
memory/6132-2219-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
memory/6132-2220-0x000000000A6E0000-0x000000000A7EA000-memory.dmp
memory/6132-2221-0x000000000A610000-0x000000000A622000-memory.dmp
memory/6132-2222-0x000000000A670000-0x000000000A6AC000-memory.dmp
memory/6132-2224-0x00000000029F0000-0x0000000002A3C000-memory.dmp