Analysis Overview
SHA256
6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378
Threat Level: Known bad
The file 6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
Healer family
Redline family
RedLine
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:47
Reported
2024-11-09 21:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe
"C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1524
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5332 -ip 5332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 1260
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe
| MD5 | 02dbd5b76ca7da877d2559125a412dd2 |
| SHA1 | 15cee3a4fe0a5d6dffe5b220d4e9ac5b9058b472 |
| SHA256 | 090a6ac11064c612582f6e81863364674c6f3c520b81a6058a7ac2c7d7ebd32b |
| SHA512 | eeb79719168896b0de4d7f74afb6060fc468cbae99509cd0904895e3cd9d764c3404d03da73ab2960f3c96367902783d514eb31ee00495dfa4923a7c57e1c649 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe
| MD5 | d0186d4724c69b9aa469531553c6fe58 |
| SHA1 | 3036ebacf9d596343df4010a643461ac211d3312 |
| SHA256 | 60dc63bc639c4fb22f2bbec9d7675f061d6a147ea9c5b22d18521b60c9f4f6ad |
| SHA512 | 6394718f14719e1deefde49a1510f4aad8d4f86fc024d65f765ffc54bfec0bddb57de113da38f96f20132d57badb49909503d9de4c8d67dbe92b90e7b36ceee7 |
memory/4668-15-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
memory/4668-17-0x0000000000400000-0x0000000000828000-memory.dmp
memory/4668-16-0x0000000000400000-0x000000000044F000-memory.dmp
memory/4668-18-0x0000000000400000-0x0000000000828000-memory.dmp
memory/4668-19-0x0000000002760000-0x00000000027B8000-memory.dmp
memory/4668-20-0x0000000005090000-0x0000000005634000-memory.dmp
memory/4668-21-0x0000000002AF0000-0x0000000002B46000-memory.dmp
memory/4668-29-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-61-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-85-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-83-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-81-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-79-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-77-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-75-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-73-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-71-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-69-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-65-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-63-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-59-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-57-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-55-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-53-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-51-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-49-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-47-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-45-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-43-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-41-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-39-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-37-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-35-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-33-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-31-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-27-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-25-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-24-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-67-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-22-0x0000000002AF0000-0x0000000002B41000-memory.dmp
memory/4668-2150-0x0000000004F70000-0x0000000004F7A000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3964-2163-0x00000000009D0000-0x00000000009DA000-memory.dmp
memory/4668-2164-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
memory/4668-2166-0x0000000000400000-0x0000000000828000-memory.dmp
memory/4668-2167-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe
| MD5 | b01e5f897729f7b2485eb05cc2b4c04c |
| SHA1 | 3513743386aaa0fac5b6d0290639f6474c366f15 |
| SHA256 | e24c61c8f8b80d4f1949616e5b1c43976bf487d96aaaea44f5cfd10f53cc32c7 |
| SHA512 | 8709bafefe3c79ed0cc33754293bd696fe72e5bc43c4c38bdbb9d586dd6ecdd7c3f37e180bf832364020af99737331e6250a8b6af212dbae5df8a8f5137ba865 |
memory/5332-2172-0x0000000002660000-0x00000000026C8000-memory.dmp
memory/5332-2173-0x00000000055B0000-0x0000000005616000-memory.dmp
memory/5332-4320-0x0000000005780000-0x00000000057B2000-memory.dmp
memory/5332-4321-0x00000000057B0000-0x0000000005842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe
| MD5 | 44c52d581b66b8c0585de054d8fcfa20 |
| SHA1 | 50701f6964abd0032fb8fac39de24ed4add08f3d |
| SHA256 | 98dba28b0826d507fbe8c17633ca2890c06531ce3bc70f829b4847278dede737 |
| SHA512 | b6d484b17b15f64c49690e2a042df278daeaab3e6898172a04fdf7a77e2cc2c2ca1b9c1a2ae5c9494425bf60d016441a023fcedb2b0ebd8377730744dd00e3c2 |
memory/1720-4327-0x0000000000CA0000-0x0000000000CD0000-memory.dmp
memory/1720-4328-0x0000000002E50000-0x0000000002E56000-memory.dmp
memory/1720-4329-0x0000000005C10000-0x0000000006228000-memory.dmp
memory/1720-4330-0x0000000005700000-0x000000000580A000-memory.dmp
memory/1720-4331-0x0000000005620000-0x0000000005632000-memory.dmp
memory/1720-4332-0x0000000005680000-0x00000000056BC000-memory.dmp
memory/1720-4333-0x0000000005810000-0x000000000585C000-memory.dmp