Analysis Overview
SHA256
1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720
Threat Level: Known bad
The file 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720 was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer family
Detects Healer an antivirus disabler dropper
RedLine payload
Redline family
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:32
Reported
2024-11-09 20:35
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe
"C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4004 -ip 4004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe
| MD5 | bade830b6be2c8423bc07b40b036c355 |
| SHA1 | 898abf99c2e2c5ed9d0a7b49962b98def318a70a |
| SHA256 | 0c3d3498a73cdcce125aa65747d59dd36b1e18ce7460c8794b604158093ff765 |
| SHA512 | 4e14ce24d12c853548c9e9cfef5210bbebf2046bdf349efd7099b6ea377899421ae5b93a1359d25c493386825bca7db1622b6b68ad37e9522972103412939d81 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe
| MD5 | 25fa32563594dedbc5792bf00a544255 |
| SHA1 | d2f5e561db31492fd12b126d92a4a45981ff9115 |
| SHA256 | 00d30f23d69ef8963e109179db2d10817be8de06b085dfe5bd9e6daf43fcec0e |
| SHA512 | 6a47dc333692d3cefbf278378323606ef11c6df9230ce299ab5583fde499fcd7065048b8053a3ae44c1d2beaad6a9ea47916e0e98fa06272129c1cb19b5cf034 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe
| MD5 | 85d64e14a876cd43c5c831adb66bc141 |
| SHA1 | eef22caa3d04a00e243ae578478d7d7c88a11311 |
| SHA256 | 0119f0d319602e9368bf259bed1488797d1821e0da48c2a1e7c249009eba9333 |
| SHA512 | aa9da40d95d503b123e61c88d5f37a3c59edf9aefbf0075c135a8a5dfbf0ff62f92ba6b185ca9519078259624c1f5fcc40c941622c4c3e4fd31574a9ee6c0b26 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe
| MD5 | 8d387cb163bbbace0c0a9911dafba0ea |
| SHA1 | fe258560ba5b18642dc8838f1e3090d7e0c352e6 |
| SHA256 | ef287055b6b496fa1d19ea8d7f31d534997a38164c20c98decc545f1b212ff50 |
| SHA512 | bdcd36913bab668494a7752fed8858bc8d5a399881433f352876c4818966443d6a96cb16045cf101320d5da9fd5bbe258491868426c83ceb841ebcbb46fc5043 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe
| MD5 | ef4e78dd23e95f16b8dfe38b143836e9 |
| SHA1 | 7ec4af068b1a51897ac4ad915b0bfb215dcb0d31 |
| SHA256 | f406665f4e992d11a5757514f5fe3385b4506a4b65a0722ad1886f0b2151e136 |
| SHA512 | 0ceb37c96e4606a577eafe0ff8845fd79c8417400fbe34f2daf76af3dc5911f02990ad40347f39a234406ee7598edec6d4f9479b0b08cc20b2b929121cf370c2 |
memory/4004-36-0x00000000028C0000-0x00000000028DA000-memory.dmp
memory/4004-37-0x0000000005060000-0x0000000005604000-memory.dmp
memory/4004-38-0x0000000002CC0000-0x0000000002CD8000-memory.dmp
memory/4004-39-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-50-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-66-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-64-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-62-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-60-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-58-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-56-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-54-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-53-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-48-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-46-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-44-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-42-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-40-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
memory/4004-67-0x0000000000400000-0x0000000000A67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe
| MD5 | 4cecbe1e5ab3368eed7cae4a47304a95 |
| SHA1 | 396b5387462a850518ba10876cfa16d44ea18229 |
| SHA256 | cea16d6e72293940245c6c7ea7582eb2f974cbc18498a46e1f31738a3a22d6f7 |
| SHA512 | 104f1301f076d6b83ce70722130f436267dd02895635de6851ba470da15cf058522d98c344d77d45feaaa2fe63a05d1a64985748bd349f4c7130d313bc3d532e |
memory/4004-69-0x0000000000400000-0x0000000000A67000-memory.dmp
memory/4988-73-0x0000000000570000-0x00000000005A0000-memory.dmp
memory/4988-74-0x00000000071E0000-0x00000000071E6000-memory.dmp
memory/4988-75-0x000000000A9A0000-0x000000000AFB8000-memory.dmp
memory/4988-76-0x000000000A520000-0x000000000A62A000-memory.dmp
memory/4988-77-0x000000000A450000-0x000000000A462000-memory.dmp
memory/4988-78-0x000000000A4B0000-0x000000000A4EC000-memory.dmp
memory/4988-79-0x00000000025F0000-0x000000000263C000-memory.dmp