Analysis Overview
SHA256
59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680
Threat Level: Known bad
The file 59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Healer family
Executes dropped EXE
Checks computer location settings
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 08:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 08:26
Reported
2024-11-08 08:29
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe
"C:\Users\Admin\AppData\Local\Temp\59bbc8f9f96c429e4c32b0b595d88a82ff3a85d8ae726b723e8a767ca4489680.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4576 -ip 4576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2356 -ip 2356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1496
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un007049.exe
| MD5 | 54c1e112755e5b0e1aa4eb1e967d19f5 |
| SHA1 | 6313de7f7412f64a530b505eb2df91a0f06b6395 |
| SHA256 | 462b9ba12064020d4d13d02b6ae21cc61b4810ae32d2f163c87c0e4763b3a56d |
| SHA512 | 0bf67b5eda2d5277a47a7d95772add63067fe98f0113411dcf960dde776fa11da26d714ffdf18c90014a6bef6012e66dec10afcffdebb7fa4f7326927892b4c6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un892799.exe
| MD5 | 00f61f3477deff33d35b02affdf6255c |
| SHA1 | 06c3cc94fdfbfcffa88ade49df2ce575bacaa58e |
| SHA256 | 604bbc4f9030d519f92d6f656d4167565609f6a56b8775b09a2134f9b883d69a |
| SHA512 | 85d2fd1cc2bb02654a92945c7e908263ffe159dfd973ef49d2fc5939efd1dff0b5d19c14710d747cf4403f7e4d45feab57ec5ac43479001ce82362c240cc34c9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr194095.exe
| MD5 | 95e6c39b0a48065756fd7bbe5d8a7168 |
| SHA1 | 233faa5ee3bc7603ba09350d3cbc0226c69aa510 |
| SHA256 | ccc727c92d3c6f9a46229c3e30f4bba63cf3f9eabf6c08a69174e21aa21dce2a |
| SHA512 | b5c5dc5c2ab5ef61c93dae03f3422fb89421e316811cf4abe8db769a10da7eaf60c2a69d55a75a0cc6b5a690da253c3d24401a1b2bfc14190d1df9fc08c26f24 |
memory/4576-22-0x00000000006C0000-0x00000000007C0000-memory.dmp
memory/4576-23-0x00000000005E0000-0x000000000060D000-memory.dmp
memory/4576-24-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4576-25-0x0000000002560000-0x000000000257A000-memory.dmp
memory/4576-26-0x0000000004A90000-0x0000000005034000-memory.dmp
memory/4576-27-0x0000000004A40000-0x0000000004A58000-memory.dmp
memory/4576-55-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-53-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-52-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-49-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-47-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-45-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-44-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-41-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-39-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-38-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-35-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-33-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-31-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-30-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-28-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/4576-56-0x00000000006C0000-0x00000000007C0000-memory.dmp
memory/4576-57-0x00000000005E0000-0x000000000060D000-memory.dmp
memory/4576-58-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/4576-59-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4576-61-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/4576-62-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu943905.exe
| MD5 | 38378440401179d9e277ad494a4f4eeb |
| SHA1 | 144eb4a952172596bf7c72fa97ce8871078bf660 |
| SHA256 | 0eeb3422962f4117f296317d4bf18e916483d2ce546f6a3ac0200b0da1de1e9d |
| SHA512 | 67f76e50f9848eb3950439a4bd05dad780eb0c406476af7001953e6354a5cb7699f89bb08acea401ef5df4734d15a36401013c4cfd295c8ffdcb5d746c067405 |
memory/2356-67-0x00000000022A0000-0x0000000002308000-memory.dmp
memory/2356-68-0x00000000025B0000-0x0000000002616000-memory.dmp
memory/2356-69-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-76-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-102-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-100-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-98-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-96-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-94-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-92-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-90-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-88-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-86-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-82-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-80-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-78-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-84-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-74-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-72-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-70-0x00000000025B0000-0x0000000002610000-memory.dmp
memory/2356-2211-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/516-2224-0x0000000000ED0000-0x0000000000EFE000-memory.dmp
memory/516-2225-0x0000000007B40000-0x0000000007B46000-memory.dmp
memory/516-2226-0x0000000005DE0000-0x00000000063F8000-memory.dmp
memory/516-2227-0x0000000005910000-0x0000000005A1A000-memory.dmp
memory/516-2228-0x0000000005840000-0x0000000005852000-memory.dmp
memory/516-2229-0x00000000058A0000-0x00000000058DC000-memory.dmp
memory/516-2230-0x0000000005A20000-0x0000000005A6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954095.exe
| MD5 | c52ebada00a59ec1f651a0e9fbcef2eb |
| SHA1 | e1941278df76616f1ca3202ef2a9f99d2592d52f |
| SHA256 | 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e |
| SHA512 | 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2 |
memory/5200-2235-0x0000000000C70000-0x0000000000CA0000-memory.dmp
memory/5200-2236-0x00000000013B0000-0x00000000013B6000-memory.dmp