Analysis Overview
SHA256
8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f
Threat Level: Known bad
The file 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
RedLine
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:58
Reported
2024-11-09 04:01
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe
"C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe
| MD5 | b32dcf3b1fb54b8e862f84fbe0c8547b |
| SHA1 | 6ae4f3678f777fc1656e57ab2db143277e60690d |
| SHA256 | 0a1744782ccb95374e71f029b46d807f2a31072e670a426a3c73495b759f29bf |
| SHA512 | a66969f54069db93a8ff9f8380666e776a70adc43e6351b0ff6ac4582b7a7fe1b7a09d6f45bc7f0ed4bce8af7b04076597c8938ded22c442027ec8d23b9fee09 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe
| MD5 | a604d0a8dcf18156196619562ef426e5 |
| SHA1 | 1065de6e640de17c6db19b6237d39913364e8ee6 |
| SHA256 | abf0068d194197a1c047aa30065f655033e0d25beee3d715e8d4f68b14781e6b |
| SHA512 | 046970ae23942f47b945bce62bfca5374bb27d22467a52001aec2f140629d30c2469481a3ba496495c6f88f7b8fd898927d7a724ea262375c82b358d6a5fd645 |
memory/3140-15-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/3140-16-0x0000000002D20000-0x0000000002D4D000-memory.dmp
memory/3140-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3140-18-0x0000000004B80000-0x0000000004B9A000-memory.dmp
memory/3140-19-0x0000000007200000-0x00000000077A4000-memory.dmp
memory/3140-20-0x0000000004C00000-0x0000000004C18000-memory.dmp
memory/3140-48-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-46-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-44-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-42-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-40-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-38-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-36-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-34-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-32-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-30-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-28-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-26-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-24-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-22-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-21-0x0000000004C00000-0x0000000004C13000-memory.dmp
memory/3140-49-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/3140-51-0x0000000002D20000-0x0000000002D4D000-memory.dmp
memory/3140-50-0x0000000000400000-0x0000000002B99000-memory.dmp
memory/3140-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3140-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe
| MD5 | a3ee805808ba45946d51568bda5aff0b |
| SHA1 | 7576545caf28d1dc6589817f2ec6b6f4496cc40a |
| SHA256 | 50d3cbedfe32a3c147dba9805d5614cd669e8c945fd7e4e03d593ffc37cabe0a |
| SHA512 | 9270d661efd165e296ada752da2d774f10e9270e523b0a9f4f6a8c6e4411c0017e57b274120d27e96734dbb44b61bd1f7c22a182abb49525864593400f487c06 |
memory/3140-54-0x0000000000400000-0x0000000002B99000-memory.dmp
memory/2144-60-0x0000000004CA0000-0x0000000004CDC000-memory.dmp
memory/2144-61-0x0000000007750000-0x000000000778A000-memory.dmp
memory/2144-65-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-77-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-95-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-93-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-91-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-89-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-87-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-85-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-81-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-79-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-75-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-73-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-71-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-69-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-67-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-83-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-63-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-62-0x0000000007750000-0x0000000007785000-memory.dmp
memory/2144-854-0x0000000009C70000-0x000000000A288000-memory.dmp
memory/2144-855-0x000000000A330000-0x000000000A342000-memory.dmp
memory/2144-856-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/2144-857-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/2144-858-0x0000000004A80000-0x0000000004ACC000-memory.dmp