Analysis Overview
SHA256
62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2
Threat Level: Known bad
The file 62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2 was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
Redline family
RedLine payload
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:03
Reported
2024-11-09 05:06
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe
"C:\Users\Admin\AppData\Local\Temp\62cdf42bba9df4e7832816af66430d20368fe08bcfa2a955d8cdbcb3ce2fefa2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226891.exe
| MD5 | a7dbc805fb39c62036e58844856406c7 |
| SHA1 | f27d4422b5043797664353d1ea531c184ce3d959 |
| SHA256 | 4c1c68208f1f882a35c879785bf9f70270cdc571dd2b1b6e427e72d8ccc90601 |
| SHA512 | fa1011f449411ec5f52ee9d227d84c18dd7eb99380dfa30e3690d43baa77b7f452deb6ea4b61159b81c848d6cbe7d846e646dc9a72cc62d56968ce26ec872eff |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr006460.exe
| MD5 | 0ee934c978e1cef022dd902aff4ebd1d |
| SHA1 | 7a9a7c04526c7f5a0df63fb77dcbf205d78fc57b |
| SHA256 | 918060d3ccac659a982e02c2ff76f2f7e3aceb105a56659c213d3f70c8753520 |
| SHA512 | 2f340fa4a03a201d07f54696d7b529b9a1129921913df18ab846d0a8fc0068c51076d6a731ada64f0d709581009c2b7092a84d646b67f6c6f5e0cdeec39e6f91 |
memory/1280-15-0x0000000002CF0000-0x0000000002DF0000-memory.dmp
memory/1280-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1280-16-0x0000000002C80000-0x0000000002CAD000-memory.dmp
memory/1280-18-0x00000000049A0000-0x00000000049BA000-memory.dmp
memory/1280-19-0x00000000071E0000-0x0000000007784000-memory.dmp
memory/1280-20-0x0000000007150000-0x0000000007168000-memory.dmp
memory/1280-48-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-46-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-45-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-42-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-40-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-38-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-36-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-34-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-32-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-30-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-28-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-26-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-24-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-22-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-21-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1280-49-0x0000000002CF0000-0x0000000002DF0000-memory.dmp
memory/1280-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1280-50-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/1280-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu053474.exe
| MD5 | 4821cf50d2007b3105d73c6d604fbdd1 |
| SHA1 | 2923ad9d8ffb65198b09f9f7c135da4ddd8e631d |
| SHA256 | bf880d3e4755d9b356d4618b87a49a454b39f6070b227978a28bcb1f1c88aa2b |
| SHA512 | 89231b95d314727d00e3eb8f3a4e496409b57e12f82f0a97f5527187d2d394a65dafa17d2a68bf5f370a8cdf878c5c7ccf1012cfbd33ae893737df4a083e41b2 |
memory/1280-53-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2980-59-0x0000000007130000-0x000000000716C000-memory.dmp
memory/2980-60-0x0000000007780000-0x00000000077BA000-memory.dmp
memory/2980-84-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-94-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-92-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-90-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-88-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-86-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-82-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-80-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-78-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-76-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-74-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-70-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-68-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-72-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-66-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-64-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-62-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-61-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/2980-853-0x0000000009C90000-0x000000000A2A8000-memory.dmp
memory/2980-854-0x000000000A350000-0x000000000A362000-memory.dmp
memory/2980-855-0x000000000A370000-0x000000000A47A000-memory.dmp
memory/2980-856-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/2980-857-0x0000000006C60000-0x0000000006CAC000-memory.dmp