Analysis Overview
SHA256
828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea
Threat Level: Known bad
The file 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer family
RedLine
Redline family
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:03
Reported
2024-11-09 05:05
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe
"C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1100
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe
| MD5 | da6e5ef1a6e9eff9f48f61184d120ea0 |
| SHA1 | a9dc4fdd90eb607ae03aeb8b358879b989224796 |
| SHA256 | 4bd60f370fa64bdab139ca68536c90a6370b1826a6d7117efbea3d06c3ea0e99 |
| SHA512 | b30b8dce488d430f630d5d7020b5e870a8bd1a047081d9a99785ecf966562723b9331fd80544d92d42744fc356da8462a38c95ab2d7e621cb4c1f8cfee915024 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe
| MD5 | fdda21ab82a198d66ed008afb7fec34d |
| SHA1 | 55380a21f145124b26e92c519ca1bf1c4e639f7d |
| SHA256 | 52ffddea2f5bd6f476a58660098e24dfb6e2568f9969122a20cb1bd677c6cade |
| SHA512 | 897f02fe0723a22ff1be206e0228498cdaece7d4bf9baa6813146db0bbdf1426db86094f619cd6af501f694f4889230fb881a1ca1d9be2e8f607f01e90fbda5a |
memory/4724-15-0x0000000002C20000-0x0000000002D20000-memory.dmp
memory/4724-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4724-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp
memory/4724-18-0x0000000004AE0000-0x0000000004AFA000-memory.dmp
memory/4724-19-0x00000000073D0000-0x0000000007974000-memory.dmp
memory/4724-20-0x0000000004C80000-0x0000000004C98000-memory.dmp
memory/4724-40-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-48-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-46-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-44-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-42-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-38-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-36-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-34-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-32-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-30-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-28-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-26-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-24-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-22-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-21-0x0000000004C80000-0x0000000004C93000-memory.dmp
memory/4724-49-0x0000000002C20000-0x0000000002D20000-memory.dmp
memory/4724-50-0x0000000000400000-0x0000000002B9B000-memory.dmp
memory/4724-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4724-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe
| MD5 | 797d059ba279a43c0689e69416d41082 |
| SHA1 | 12b4af97ae8d97e2506ae6158bf16104a5b9fddc |
| SHA256 | ed62b98920962c503ae98e2637d3b5623a9d4960134d913bc157720d9608b98d |
| SHA512 | 52a73e72df5a7fce956c0cfe452d49ce0bc93288f883e047b598566e123f6f6f98e66335bc12e33f497a7684bc055405f80c3820515f2c78c14d1a67719d1fbe |
memory/4724-53-0x0000000000400000-0x0000000002B9B000-memory.dmp
memory/4000-59-0x0000000007120000-0x000000000715C000-memory.dmp
memory/4000-60-0x00000000071A0000-0x00000000071DA000-memory.dmp
memory/4000-66-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-74-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-72-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-70-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-68-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-82-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-64-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-62-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-61-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-76-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-94-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-92-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-90-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-88-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-86-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-84-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-80-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-78-0x00000000071A0000-0x00000000071D5000-memory.dmp
memory/4000-853-0x0000000009D30000-0x000000000A348000-memory.dmp
memory/4000-854-0x00000000072D0000-0x00000000072E2000-memory.dmp
memory/4000-855-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/4000-856-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/4000-857-0x0000000006C10000-0x0000000006C5C000-memory.dmp