Analysis Overview
SHA256
c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47
Threat Level: Known bad
The file c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
Detects Healer an antivirus disabler dropper
Detects executables packed with ConfuserEx Mod
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Executes dropped EXE
Windows security modification
Adds Run key to start application
Launches sc.exe
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-02 03:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 03:15
Reported
2024-05-02 03:17
Platform
win10v2004-20240419-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with ConfuserEx Mod
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b71294961.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe
"C:\Users\Admin\AppData\Local\Temp\c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b71294961.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b71294961.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exe
| MD5 | b5886c5e09e640eb8e181e4433193e1a |
| SHA1 | 7989a442aab3d7d1d62a9feed21781b3fb8604f1 |
| SHA256 | 7c3cc02e06b7db64d1e36479bca0ece8e977a1862e77ed2a7f639c4d0028b845 |
| SHA512 | 4587d2a6ca65c7944c0424bd0fb036bd92233f370160fa0ac4b1941d8c2aa11cbb85498248132e3d0f4b7a5d6543216f70620b8906b104648d27dd66fe775f91 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exe
| MD5 | 1ac8f5538b13ba75876342b9b7b58fd9 |
| SHA1 | 313e02ec364e7789e0cacf90541c0cff1c323e45 |
| SHA256 | e202b98783d5107dd15c9fa61426470d46b065d44aca209cec337be21931d8c9 |
| SHA512 | e241092e0b6c5373408abe2be6e71a30487c84e4ffe8bcfdb8629a59cc6a346b43f5b330a17dad963390412141c02075a0c3e1df70b42e56ce306ad19ec65616 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exe
| MD5 | e8e7b4f5a6bd9df0bd0f535b2d3ba670 |
| SHA1 | 7168d075514a6a17bfd19aa93408b7edf561c496 |
| SHA256 | 4ec88758ebabd0b71c71ef7bd2a3d0ecddb4ac5f2ef1764e72135a6955b3b9cb |
| SHA512 | 04578994d7b8060c68921fdfe693b56f77f3aab78fd47546861faa5e9d5637242ce6c254008d1ae74d632e51cc838e021d1572c42e2b004720d06e7ffb33c086 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exe
| MD5 | 407683e36794289c62b018a6c4602bf7 |
| SHA1 | c898be0332e444882335d1e86f1baeb32ac0f9aa |
| SHA256 | 6ca0abf9b6078e723c0e60cb30e8ff05e79770f392a9802940c7234761545ef2 |
| SHA512 | afdda40faf91928789eeeca4d9d0d0bec3b01b8130a2194a01dfd12327dc70fda5b7b3c9edadbf9f95632453e1adf56afa6310b71a8ea3dffea02a682d20a080 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe
| MD5 | fdc108c21aef93737ebff6a2433e434a |
| SHA1 | d557cf2fe168b5d677cc6125ff033ded6411a85c |
| SHA256 | 3452dccfc3aaf6e77f5eea713d9de9a27981507723d058303c114992cc90cc5a |
| SHA512 | 3ab7d45c8ec6629bb70474effa305e2a54afece91df02469a291fda8c80cc8b05d9f5ec5871d20a2f975f6be99e7c495020f34fe70fb956af725a8a66cf10380 |
memory/404-35-0x00000000020E0000-0x00000000020FA000-memory.dmp
memory/404-36-0x0000000004C30000-0x00000000051D4000-memory.dmp
memory/404-37-0x0000000002410000-0x0000000002428000-memory.dmp
memory/404-38-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-65-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-63-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-61-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-59-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-57-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-55-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-51-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-49-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-47-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-45-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-43-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-41-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-39-0x0000000002410000-0x0000000002423000-memory.dmp
memory/404-53-0x0000000002410000-0x0000000002423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b71294961.exe
| MD5 | 01ec9e12ad11d69c72abfe4f43bd44a4 |
| SHA1 | 4484718865f5eaf0cb86a49064dde9a01dd19572 |
| SHA256 | bd0861c4c8c32a4d7d18597f557d2814eff6c461922ef3e9aae80a528291a098 |
| SHA512 | 31132c60e76a5090d0913a54c172931aa1198db2fa849915facbb8a1317eec988d50b1d67e1c147b03c43df98f3bddf8704de8cd2bd37de7368c920b9cf5f067 |
memory/1908-70-0x0000000000B00000-0x0000000000B30000-memory.dmp
memory/1908-71-0x0000000001450000-0x0000000001456000-memory.dmp
memory/1908-72-0x000000000AEB0000-0x000000000B4C8000-memory.dmp
memory/1908-73-0x000000000A9A0000-0x000000000AAAA000-memory.dmp
memory/1908-74-0x000000000A8B0000-0x000000000A8C2000-memory.dmp
memory/1908-75-0x000000000A910000-0x000000000A94C000-memory.dmp
memory/1908-76-0x0000000004D50000-0x0000000004D9C000-memory.dmp