Analysis Overview
SHA256
3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8
Threat Level: Known bad
The file 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8 was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:11
Reported
2024-11-09 05:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe
"C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1076
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 193.233.20.17:4139 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| RU | 193.233.20.17:4139 | tcp | |
| RU | 193.233.20.17:4139 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.17:4139 | tcp | |
| RU | 193.233.20.17:4139 | tcp | |
| RU | 193.233.20.17:4139 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe
| MD5 | f3e1709aab51a6a135bbdb29d83f77d9 |
| SHA1 | adb143171137a23b41968a07e43d38b4186848c2 |
| SHA256 | d33df68fc9eec68e31d69b1abdc0fb82ab8e2b0e2fee7cd985dd3acfda022bfb |
| SHA512 | d7941ec4e350762e79baf141098285ba4039032630ec95db3634c5f2bd87a3ebc25337f647cc4a8a43affb7beb5f1f61dac8c17832e1ed93242cdf8d45c3e309 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe
| MD5 | c0018a166fb236e3a8fd15f31ae48bbc |
| SHA1 | 378ff7d739193420c1e50b17a7ccf8012b9773f0 |
| SHA256 | 804d0a95dff89959609f92afddd708cebc42149597b96e611b60967d6a0ad4d7 |
| SHA512 | cc1cc89786baab3344422e267f5ed98caec1f337d495040de06763307a318d29ba3b6e7595e1cd903d01734de737cfd4ef11b982dd2ab9c8a3a171553bd21e95 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe
| MD5 | 1004bc7075588f55644ec77b8b633fdb |
| SHA1 | 056c0cc4e18c9f156fb69b071dd60416247bd0b3 |
| SHA256 | 923a2d0e5c4976768479d77a7f0c0ae53bdd52a36fb1916d4f063e4773b02f61 |
| SHA512 | 12bf55bb03c6cf3dbf14646bfd3a14df18f93b1c03bdc5b802c557b07b7819b2822cb478a2a022b53cc3859e8d3c720f139fd7b37b97c78dff18a569082384db |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe
| MD5 | 2c5c8d29cafcf8e7dd907d96976fa83f |
| SHA1 | 0d7b42b55e766c71ecd427a3d1acf1a04b16be7c |
| SHA256 | 5cd65c80d1f7f92886584a08003e6f31ed0b37b20c7bad622ee0ae43ec928f3a |
| SHA512 | 67d0f1649e1c7494e865fbb2cf1806b2e05119671ffea6e1fb84e7dd82f0782f678d1f2bddeed6f2e64a9814cea860efc280e8a727a99bdc181a50b951c97d09 |
memory/4032-29-0x0000000002500000-0x000000000251A000-memory.dmp
memory/4032-30-0x0000000004C80000-0x0000000005224000-memory.dmp
memory/4032-31-0x00000000026C0000-0x00000000026D8000-memory.dmp
memory/4032-35-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-59-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-58-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-55-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-53-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-51-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-49-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-47-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-45-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-43-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-41-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-39-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-37-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-32-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-33-0x00000000026C0000-0x00000000026D2000-memory.dmp
memory/4032-60-0x0000000000400000-0x000000000057D000-memory.dmp
memory/4032-62-0x0000000000400000-0x000000000057D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe
| MD5 | 444008956d19b2d37e0e2c25888548b0 |
| SHA1 | 0b64e74e3c648f0a9023fe2308a3ab7b13607ad3 |
| SHA256 | b4eedc40338b319b5527d55f9f50d8941fb4905a464a2babf2036492aaa4d94b |
| SHA512 | 1a00813b1f3d64613b8d57f0e70c09980b07c3c23f86bfbbf3f677a2eac15405e150a512e542703d044f2713f98de91550c5dd2717cbec80ecbc1e59878cce74 |
memory/1140-67-0x00000000025E0000-0x0000000002626000-memory.dmp
memory/1140-68-0x0000000002720000-0x0000000002764000-memory.dmp
memory/1140-80-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-92-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-102-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-100-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-98-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-96-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-94-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-90-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-88-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-86-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-84-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-82-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-81-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-78-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-76-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-74-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-72-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-70-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-69-0x0000000002720000-0x000000000275E000-memory.dmp
memory/1140-975-0x0000000005250000-0x0000000005868000-memory.dmp
memory/1140-976-0x0000000005870000-0x000000000597A000-memory.dmp
memory/1140-977-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/1140-978-0x0000000005AC0000-0x0000000005AFC000-memory.dmp
memory/1140-979-0x0000000005B10000-0x0000000005B5C000-memory.dmp