Analysis Overview
SHA256
eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58
Threat Level: Known bad
The file eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58 was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
Detects Healer an antivirus disabler dropper
Healer
Healer family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:58
Reported
2024-11-09 04:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe
"C:\Users\Admin\AppData\Local\Temp\eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3796 -ip 3796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1100
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
| US | 8.8.8.8:53 | hueref.eu | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe
| MD5 | bb00bda1a34cf85a7024b49365348dae |
| SHA1 | 2f1b2684d28d8ae32f0405a762480aabf77a18d2 |
| SHA256 | 50bed3800f12301650947a559f1c9a357f960c7dda5e19d08afff32c8254e167 |
| SHA512 | 1fc1af38663b2c444109add571b6dd7bc18cadd899490b47065ca25d8244bdc2fb88e45bf95a1df98d3ca746427631658c7afe6024511f7a8b23d79e5f50ffdc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe
| MD5 | dc44e178c4f3a817757c50068412a977 |
| SHA1 | 7bcdf70b213b0db4a895c7156172b5ce70ed9f57 |
| SHA256 | 87d065445ce37fdcd5725c65e839baaf217ba8dbc0f8635f289f44c7627b0646 |
| SHA512 | 718b1751f1333f98c33a96527895f5c376e5db709787e3ae8b61a49689e3b687835169abf8373c8e71b761e6537078728a5776bebda73eba60dbac53edffa7f0 |
memory/3796-17-0x0000000000400000-0x000000000057E000-memory.dmp
memory/3796-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3796-15-0x0000000000780000-0x0000000000880000-memory.dmp
memory/3796-18-0x0000000000400000-0x000000000057E000-memory.dmp
memory/3796-19-0x0000000002390000-0x00000000023AA000-memory.dmp
memory/3796-20-0x0000000004BF0000-0x0000000005194000-memory.dmp
memory/3796-21-0x0000000002690000-0x00000000026A8000-memory.dmp
memory/3796-45-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-49-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-47-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-43-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-41-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-39-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-37-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-35-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-33-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-31-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-29-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-27-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-25-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-23-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-22-0x0000000002690000-0x00000000026A2000-memory.dmp
memory/3796-50-0x0000000000780000-0x0000000000880000-memory.dmp
memory/3796-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3796-55-0x0000000000400000-0x000000000057E000-memory.dmp
memory/3796-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe
| MD5 | 75160aa498b0f13e4f6106ffe98857f3 |
| SHA1 | 154296294b8700f46187245fdb9a2c4d5aa7da3c |
| SHA256 | 57ad72d53871e2d2f5576eca5bbf30e6c86fffef549ab740e9b2f89a81968547 |
| SHA512 | 8aade9003760df690e83dd35a309c64a67d7f10a37fb3e3138d4373d69a420885883417a1421f3bcdfb78776f5d6d38f83dab13b1f3f824186eae94ee1263813 |
memory/1064-61-0x0000000002310000-0x0000000002356000-memory.dmp
memory/1064-62-0x0000000004AE0000-0x0000000004B24000-memory.dmp
memory/1064-76-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-78-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-96-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-94-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-92-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-90-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-86-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-84-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-82-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-80-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-74-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-72-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-70-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-88-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-68-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-66-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-64-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-63-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
memory/1064-969-0x0000000005220000-0x0000000005838000-memory.dmp
memory/1064-970-0x0000000005860000-0x000000000596A000-memory.dmp
memory/1064-971-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/1064-972-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/1064-973-0x0000000005B50000-0x0000000005B9C000-memory.dmp