Analysis Overview
SHA256
1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84
Threat Level: Known bad
The file 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
RedLine
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:03
Reported
2024-11-09 05:06
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe
"C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe
| MD5 | 03e2d633dd8d3b9d7f1059e4e7ad27c8 |
| SHA1 | a6edfc39536fc573d3bf0b0799f36eb523e3d347 |
| SHA256 | 64ef312fb4b36559480c2b789aa4f2461e2b01945972a0b624abacb67bba54b1 |
| SHA512 | ae396667efae35b19f627406e02a1bab24ace858389adef4d5afab2112769859a3586fbf58dc8a5b3aeedaaae75d30e7e9dbaed05ef6e49e6390aee339b6359f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe
| MD5 | f9ab407f187f8e5cf997a132860334b1 |
| SHA1 | f84ae1c6314d60f4fba8f47709cfa76ab01e5996 |
| SHA256 | 725df5d14ec61c974c129debae9910704b9199dc5ba1c0f70d5275807fca79f6 |
| SHA512 | 1a235d605133d8d12b978196cd1219fcf9209367f3d8af4eaeb01b2211a3c1ee2ce323739893b2882810ab3d8f1ba236282e2a14fa1021413a712ac07ae3ba26 |
memory/116-15-0x00000000006E0000-0x00000000007E0000-memory.dmp
memory/116-16-0x0000000000970000-0x000000000099D000-memory.dmp
memory/116-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/116-18-0x0000000000400000-0x0000000000455000-memory.dmp
memory/116-19-0x0000000002250000-0x000000000226A000-memory.dmp
memory/116-20-0x0000000004B80000-0x0000000005124000-memory.dmp
memory/116-21-0x0000000002500000-0x0000000002518000-memory.dmp
memory/116-47-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-49-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-45-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-43-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-41-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-39-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-37-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-36-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-33-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-31-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-29-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-27-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-25-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-23-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-22-0x0000000002500000-0x0000000002513000-memory.dmp
memory/116-50-0x00000000006E0000-0x00000000007E0000-memory.dmp
memory/116-51-0x0000000000970000-0x000000000099D000-memory.dmp
memory/116-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/116-55-0x0000000000400000-0x0000000000455000-memory.dmp
memory/116-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe
| MD5 | 0b6a05a09e6f6c3c1fa480ad8d174aac |
| SHA1 | 91652bf99cbf223394d716b50184cd060c4bd866 |
| SHA256 | c3bba445b3160f1aaf80b77a7ac3ec4f36a157eb697a66be8d7f6c544afd77a0 |
| SHA512 | ac499bd04742c799a99645372b5a5b09b175c6c4284914074604b902ed5b3f57859921e34eb9b0b0f1f629a9240c41f95446ed6432c3da85e5d269a131ae8953 |
memory/4644-61-0x00000000023B0000-0x00000000023EC000-memory.dmp
memory/4644-62-0x0000000004A50000-0x0000000004A8A000-memory.dmp
memory/4644-70-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-82-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-96-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-94-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-92-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-90-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-88-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-86-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-84-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-80-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-78-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-76-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-74-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-72-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-68-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-66-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-64-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-63-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/4644-855-0x0000000007600000-0x0000000007C18000-memory.dmp
memory/4644-856-0x0000000004B90000-0x0000000004BA2000-memory.dmp
memory/4644-857-0x0000000007C20000-0x0000000007D2A000-memory.dmp
memory/4644-858-0x0000000007D30000-0x0000000007D6C000-memory.dmp
memory/4644-859-0x0000000004540000-0x000000000458C000-memory.dmp