Analysis Overview
SHA256
c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e
Threat Level: Known bad
The file c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer
RedLine
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-10 01:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-10 01:58
Reported
2024-09-10 02:01
Platform
win10v2004-20240802-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1552 set thread context of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe
"C:\Users\Admin\AppData\Local\Temp\c52d2523c4d8fa5e1812fa3a324c2c47c1309830b0de0bfa27c81d12735f1f5e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1552 -ip 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 556
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0445814.exe
| MD5 | c883f1794c26a640e7783945cf9a70dc |
| SHA1 | 14947c49dec62bf7327686c4ac087575c8ef4c9c |
| SHA256 | 69c0c74540a2570612b2eada0206ffc1fcd15497f442af1052a23089784116e9 |
| SHA512 | 7a0561d41973670cb5757398f13f9b43a67b580e6f5aabe91983dc19810b3b71f893e5e15f92ad0db2b97cde65ff5646ac89ecf11a542be7a0f913148bc82fd1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3674997.exe
| MD5 | 34fba452172a3c3a08014ddc3484c3de |
| SHA1 | 9943da1b5187826a544098f316b7fb00c841a27e |
| SHA256 | 9ba1e4660ee0dda0b84c2077255ad7a8c89ef86a7d21c0266aa7b687573cef0c |
| SHA512 | b213f0a26ca89ddd24561a03c0d6666d091ba4b7aa2f6d949abba4273f396c3a3c9724a7f4e9a55ee0eb3a6a961aaa20af6df5b36caecb27f0321a898f3637b6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4993876.exe
| MD5 | 0c669a789359ac3d23e87bc5b5d59f0d |
| SHA1 | 37e376c8dfae4aaa9f0d6d88ff761b7cde905a27 |
| SHA256 | 6c8544ba231d33218273548e6f1765fdd9308e6e5c44ef21b8d908f204e9a416 |
| SHA512 | 1698424393e6c1af17f5bc9e2cbc5ccec82e5a9ed1118a51527a8f2b662e8d7d356e0e0125846c5c0464df72ed02c73d5556d9d859b7d9812f2ebe420e89d8c9 |
memory/4664-21-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2665851.exe
| MD5 | 4635233db0644c10d38844281931bd18 |
| SHA1 | d3f57625536422c96564abc7337f133c81eee7ce |
| SHA256 | ddfb26ceb548d7fe801c0778ec21dd467202539586d69d1436d4b34e119d4cae |
| SHA512 | d2fd45fef06b74a5d070c9925197bbd236ea4a09fff2f1347a09a3a572a398c8429c9d7fe2740b5252a429f6dfd2facf8c5db1c4bda59da928fe06e4d4bdb1f8 |
memory/3276-25-0x00000000004F0000-0x0000000000520000-memory.dmp
memory/3276-26-0x0000000002650000-0x0000000002656000-memory.dmp
memory/3276-27-0x00000000054F0000-0x0000000005B08000-memory.dmp
memory/3276-28-0x0000000004FE0000-0x00000000050EA000-memory.dmp
memory/3276-29-0x0000000004D70000-0x0000000004D82000-memory.dmp
memory/3276-30-0x0000000004F10000-0x0000000004F4C000-memory.dmp
memory/3276-31-0x0000000004F50000-0x0000000004F9C000-memory.dmp