Analysis Overview
SHA256
7b8c157934afb9480c8ad7f456fccb235294c2a5557eb05102c736a24e2c9aaf
Threat Level: Known bad
The file aa11496ae8767601729e7f74ad715430N.cab was found to be: Known bad.
Malicious Activity Summary
Healer
Modifies Windows Defender Real-time Protection settings
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 08:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 08:36
Reported
2024-08-30 08:38
Platform
win7-20240708-en
Max time kernel
106s
Max time network
117s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2984 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\j5520135.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\j5520135.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\j5520135.exe
"C:\Users\Admin\AppData\Local\Temp\j5520135.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
memory/1944-1-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-5-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1944-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-8-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1944-10-0x00000000744CE000-0x00000000744CF000-memory.dmp
memory/1944-11-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/1944-12-0x00000000744C0000-0x0000000074BAE000-memory.dmp
memory/1944-13-0x00000000744CE000-0x00000000744CF000-memory.dmp
memory/1944-14-0x00000000744C0000-0x0000000074BAE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 08:36
Reported
2024-08-30 08:38
Platform
win10v2004-20240802-en
Max time kernel
107s
Max time network
115s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3100 set thread context of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\j5520135.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\j5520135.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\j5520135.exe
"C:\Users\Admin\AppData\Local\Temp\j5520135.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
memory/3088-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3088-1-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/3088-2-0x0000000002930000-0x0000000002936000-memory.dmp
memory/3088-3-0x000000000AA20000-0x000000000B038000-memory.dmp
memory/3088-4-0x000000000A520000-0x000000000A62A000-memory.dmp
memory/3088-5-0x000000000A460000-0x000000000A472000-memory.dmp
memory/3088-6-0x000000000A4C0000-0x000000000A4FC000-memory.dmp
memory/3088-7-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3088-8-0x00000000028B0000-0x00000000028FC000-memory.dmp
memory/3088-9-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/3088-10-0x00000000744D0000-0x0000000074C80000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-30 08:36
Reported
2024-08-30 08:38
Platform
win10v2004-20240802-en
Max time kernel
106s
Max time network
114s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\x2665667.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4776 set thread context of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\x2665667.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\x2665667.exe
"C:\Users\Admin\AppData\Local\Temp\x2665667.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
| MD5 | d07a8d025ad5167e0519e860780f58b0 |
| SHA1 | 930163600ba309aa6f8c72844d133378bb1df911 |
| SHA256 | 50f4fdfafc46731ed6f310d378ddda0a39d4b4cc10da9729a45b12f63e17aee4 |
| SHA512 | 55ea0e4ca8f6202539254f10e87a608a0c8a1ad03ae0263a207664bb385cb78119641838bfc9e293c2e7799e9027b458694ae984ef5c8a8aacd62c4349e9ea25 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
| MD5 | c04574bae7475ceb34295dba472371fd |
| SHA1 | 69644e2718e135c484d62abd409e10c94a280863 |
| SHA256 | 38484c394c6c62deb85ee75b30cd5ff568c5dc23ca08a3366d0f2482dfefe11c |
| SHA512 | 9ffc37140111861f4b645fa7015beed57291bd45a0e02145391fed3638f853eff9b8beb7e60709716e3dc368abbc91d0a2e8e7088e3f138287d846cd3cf87a87 |
memory/2968-14-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
| MD5 | 2ebab37f88bd95040550fddf6b98086b |
| SHA1 | c87316aea7a90fbb0b058a5c472c294e1a711848 |
| SHA256 | 81110de81c715b9b50429ca1f7a1ee9d83bc6a2ff10a79175a61e0ef344ebc1a |
| SHA512 | 42461327fdf3ef262861af2746f6a809d6c9867fae1f4bb6e1cff9b497e2a85fd2f95058be98dfae54aa35b841e3e93dd342ab0e5fd16df919ef76892baf212b |
memory/832-18-0x0000000000560000-0x0000000000590000-memory.dmp
memory/832-19-0x0000000004D80000-0x0000000004D86000-memory.dmp
memory/832-20-0x000000000A8E0000-0x000000000AEF8000-memory.dmp
memory/832-21-0x000000000A3D0000-0x000000000A4DA000-memory.dmp
memory/832-22-0x000000000A310000-0x000000000A322000-memory.dmp
memory/832-23-0x000000000A370000-0x000000000A3AC000-memory.dmp
memory/832-24-0x0000000002740000-0x000000000278C000-memory.dmp