Analysis Overview
SHA256
b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056
Threat Level: Known bad
The file b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:17
Reported
2024-11-09 19:20
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe
"C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1124 -ip 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe
| MD5 | 98b709c70c51e42a0974c9cb8a775f5f |
| SHA1 | 3f8fefc895f631938b30ef75d87b5e8a5ac75cdf |
| SHA256 | 0f395a6a29e0c33ab4c1318af15c976c8613185ce7217e5c0bb88e4cd5587edc |
| SHA512 | 077e76ec1d73f7edee6e4610420c1dfaeea7a10ced24e4e182173cd7e6190ee5eaf72e680b387f560bf328199124232a420d1e886211b0d97f9c6a2d1d2374f3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe
| MD5 | 7f148a00e12edaef9a15d660c8109bd8 |
| SHA1 | 2b206f44daee100e32df14ea1dc2d316747bd17c |
| SHA256 | b2ad7ebf3b6821ca21b620e70cf2b35a922a92e1e02647f6966bcd577ce5fdb2 |
| SHA512 | c13ea7d048115a13f44e7c5a4b075eee6a011fa2bfbc84d668309d395472ede41e2e0a42884947581987fdf56c253bfc2e4f351e325ade9a8e34eab1208bd0b1 |
memory/1124-15-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/1124-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1124-17-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1124-18-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1124-19-0x0000000002390000-0x00000000023AA000-memory.dmp
memory/1124-20-0x0000000004CF0000-0x0000000005294000-memory.dmp
memory/1124-21-0x0000000002630000-0x0000000002648000-memory.dmp
memory/1124-27-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-49-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-48-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-45-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-43-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-42-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-40-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-37-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-35-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-33-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-31-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-29-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-26-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-23-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-25-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-22-0x0000000002630000-0x0000000002643000-memory.dmp
memory/1124-50-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/1124-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1124-54-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1124-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe
| MD5 | 7457dc6742a2a3c2bffe967b628499f3 |
| SHA1 | 0c3b6deb84476b28c0cdd54e61dc2f3d9778e642 |
| SHA256 | 05ca104e0ebf1cbb1021e183521cf90f95435974596c24bbb2d182b446457728 |
| SHA512 | 2198761294eaad84ec8259aecce4d6985e393181eb91d9b6cb531ec83142bd689ed42d49b3cd135128f5b40dabb89400f3375a4f25fd40e7cbef088fcd89e519 |
memory/4588-60-0x0000000002650000-0x000000000268C000-memory.dmp
memory/4588-61-0x0000000004A70000-0x0000000004AAA000-memory.dmp
memory/4588-69-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-91-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-79-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-67-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-65-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-63-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-95-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-94-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-89-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-87-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-85-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-83-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-81-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-77-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-75-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-73-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-71-0x0000000004A70000-0x0000000004AA5000-memory.dmp
memory/4588-854-0x00000000075E0000-0x0000000007BF8000-memory.dmp
memory/4588-855-0x0000000007C00000-0x0000000007C12000-memory.dmp
memory/4588-856-0x0000000007C20000-0x0000000007D2A000-memory.dmp
memory/4588-857-0x0000000007D30000-0x0000000007D6C000-memory.dmp
memory/4588-858-0x0000000002220000-0x000000000226C000-memory.dmp