Analysis Overview
SHA256
4cbd8a7ebd3eb952243bce4a2d5d130ef6c052265c56094548f9bc54e643a0f1
Threat Level: Known bad
The file 4cbd8a7ebd3eb952243bce4a2d5d130ef6c052265c56094548f9bc54e643a0f1 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer family
Healer
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 09:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 09:40
Reported
2024-11-07 09:43
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un858624.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un372205.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk826328.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4cbd8a7ebd3eb952243bce4a2d5d130ef6c052265c56094548f9bc54e643a0f1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un858624.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un372205.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk826328.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4cbd8a7ebd3eb952243bce4a2d5d130ef6c052265c56094548f9bc54e643a0f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un858624.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un372205.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cbd8a7ebd3eb952243bce4a2d5d130ef6c052265c56094548f9bc54e643a0f1.exe
"C:\Users\Admin\AppData\Local\Temp\4cbd8a7ebd3eb952243bce4a2d5d130ef6c052265c56094548f9bc54e643a0f1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un858624.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un858624.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un372205.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un372205.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5004 -ip 5004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 988
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk826328.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk826328.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un858624.exe
| MD5 | 91311bfbfccd841a3a4a3f1543b62ad3 |
| SHA1 | 6546055bc74e183299f82dfe734bd12487c01416 |
| SHA256 | 090fc41cac8f7e531c149ad6671bcc88bd4ddd76f02ab14d185b9642c421ffe4 |
| SHA512 | 7b80b37f4bf465ccb43716a56cb7e6598b2eaba122f5e5c13747cbbe5ba3c211a50c2790210f10c2cde53a95b85f831c8eb24f5e864fcf9c917b10727a75a441 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un372205.exe
| MD5 | c0bac2c163dfcd35a42c45e796beb7a0 |
| SHA1 | c98f23b7e5482a36e7a4c28d3757300a271197f9 |
| SHA256 | 7ee8056e0c7bca419aa0bf6c68272d3d993c1afe310ac77c46d623fcb11abb97 |
| SHA512 | 48ccafd8b1c78d93d5201280ed4ed94ff4fe081cdb2bcb153434b8275f601e440e62ba2632746d2e1d3c4b43f4087f701e63a4fe26618ea66dafebd45195d5cf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr353093.exe
| MD5 | c879bae3779f2eea75f1a328b258a046 |
| SHA1 | 9fb6a5a3d6cf089212ae0bca087354be39ec0a53 |
| SHA256 | 1fbc5ba35ecf87f76da6776cfcb0a182ab407222500276b8804febe64e9b6858 |
| SHA512 | 8bc369d52fc271dbf1cd0839bc9ec4288aecda6491cbea9b4519dafb4cd2875462b37317e91537ab0ed0254ea2838ec39851196d808b8986fc8dc9745239f82d |
memory/1652-22-0x0000000004D20000-0x0000000004D3A000-memory.dmp
memory/1652-23-0x0000000004DB0000-0x0000000005354000-memory.dmp
memory/1652-24-0x0000000004D80000-0x0000000004D98000-memory.dmp
memory/1652-52-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-50-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-48-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-46-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-44-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-42-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-40-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-38-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-36-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-34-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-32-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-30-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-28-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-26-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-25-0x0000000004D80000-0x0000000004D92000-memory.dmp
memory/1652-53-0x0000000000400000-0x000000000080A000-memory.dmp
memory/1652-55-0x0000000000400000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu618045.exe
| MD5 | 9de927c8e7acfc108ddb1352082aa593 |
| SHA1 | 6925ac938135d8fed489a81c5dfd8d68b97e3f90 |
| SHA256 | 535f7278ffe4204e7c45ad7734c86062cae1025d10b0a0f87fbbcf5b3f8f3064 |
| SHA512 | 5bf489fa31b9fa8ea73f10db0ae0b609714153631cf83a1d68a3a087d7245626307761bdd3a05c7c11acd18c162003101758997ba0fefa309b0ba0f6fae586c0 |
memory/5004-60-0x0000000004E90000-0x0000000004EF8000-memory.dmp
memory/5004-61-0x0000000005570000-0x00000000055D6000-memory.dmp
memory/5004-71-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-89-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-93-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-91-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-87-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-85-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-83-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-81-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-79-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-77-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-75-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-73-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-69-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-67-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-95-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-65-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-63-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-62-0x0000000005570000-0x00000000055D0000-memory.dmp
memory/5004-2204-0x0000000005760000-0x0000000005792000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/6096-2217-0x0000000000B20000-0x0000000000B4E000-memory.dmp
memory/6096-2218-0x0000000005400000-0x0000000005406000-memory.dmp
memory/6096-2219-0x0000000005AE0000-0x00000000060F8000-memory.dmp
memory/6096-2220-0x00000000055D0000-0x00000000056DA000-memory.dmp
memory/6096-2221-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/6096-2222-0x0000000005500000-0x000000000553C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk826328.exe
| MD5 | c52ebada00a59ec1f651a0e9fbcef2eb |
| SHA1 | e1941278df76616f1ca3202ef2a9f99d2592d52f |
| SHA256 | 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e |
| SHA512 | 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2 |
memory/6096-2227-0x0000000005550000-0x000000000559C000-memory.dmp
memory/5884-2228-0x0000000000500000-0x0000000000530000-memory.dmp
memory/5884-2229-0x00000000025C0000-0x00000000025C6000-memory.dmp