Analysis Overview
SHA256
066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127
Threat Level: Known bad
The file 066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127 was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
RedLine
Healer
RedLine payload
Healer family
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe
"C:\Users\Admin\AppData\Local\Temp\066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1596 -ip 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1076
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe
| MD5 | aa6f8ac20c03451ea7c54d60069b31c8 |
| SHA1 | 4c08c12fe6baab1aa07828c1d3eb903a73fcf9c6 |
| SHA256 | 12d495fa344347a0c5c55392496db77fc97df7ee6f37c77957bdd3c6bbdeea7f |
| SHA512 | 5597cf34d879fcbb83e6d58cf66239dc92ac5f4d9953ca95613e407b6b5c3528cb97664b2c921cc27c459ff9ec97ccdcd5308508c6d736c00dd773b7dc26ee51 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe
| MD5 | 52097806dad5071db7c1bf083ded084b |
| SHA1 | 6a6ef9091ff471be8a1ab3b170eeb07d2768c4df |
| SHA256 | dcae21d57d67365e16eb1684e1aaa82c9e9f6897a452c53fd9e87ce389002a64 |
| SHA512 | ee6198f596780bcd0a8c1116fb35f2d1536eaa60285db6bc05f4d9a0e88256db58d720c2e8e5966e93c80dcdd4763f7484437da6ffe4e839612e4d8eacf02986 |
memory/1596-15-0x0000000002E20000-0x0000000002F20000-memory.dmp
memory/1596-16-0x0000000002C00000-0x0000000002C2D000-memory.dmp
memory/1596-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1596-18-0x0000000004AF0000-0x0000000004B0A000-memory.dmp
memory/1596-19-0x00000000072D0000-0x0000000007874000-memory.dmp
memory/1596-20-0x0000000004B60000-0x0000000004B78000-memory.dmp
memory/1596-48-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-46-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-44-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-42-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-34-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-40-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-38-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-36-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-32-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-30-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-28-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-27-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-24-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-23-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-21-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/1596-49-0x0000000002E20000-0x0000000002F20000-memory.dmp
memory/1596-50-0x0000000002C00000-0x0000000002C2D000-memory.dmp
memory/1596-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1596-51-0x0000000000400000-0x0000000002B78000-memory.dmp
memory/1596-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe
| MD5 | 0a83d7d9b5a27743cc0f6dd0b7d5f4c2 |
| SHA1 | af1f132c501f9e9f4e710d9519665798f4d508e0 |
| SHA256 | 44834e4ae785e7fe155d7e0335ee1d7c70c40ba54b715ee05b9a499021971e6e |
| SHA512 | 2faed8eb6dc98982c27e47b7cd703862e10277a0b44455ffcc138100006849ae0f515db5d03e9e7a105404e16c58c75f2732020d4a357e927eff29bd6b7e25d4 |
memory/1596-54-0x0000000000400000-0x0000000002B78000-memory.dmp
memory/4652-60-0x0000000004B40000-0x0000000004B86000-memory.dmp
memory/4652-61-0x0000000004C40000-0x0000000004C84000-memory.dmp
memory/4652-63-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-75-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-95-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-93-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-91-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-89-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-87-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-85-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-83-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-81-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-79-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-77-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-73-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-71-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-69-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-67-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-65-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-62-0x0000000004C40000-0x0000000004C7F000-memory.dmp
memory/4652-968-0x0000000007990000-0x0000000007FA8000-memory.dmp
memory/4652-969-0x0000000007280000-0x000000000738A000-memory.dmp
memory/4652-970-0x0000000007FB0000-0x0000000007FC2000-memory.dmp
memory/4652-971-0x0000000007FD0000-0x000000000800C000-memory.dmp
memory/4652-972-0x0000000008110000-0x000000000815C000-memory.dmp