Analysis Overview
SHA256
5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c
Threat Level: Known bad
The file 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:41
Reported
2024-11-10 00:44
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe
"C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1260 -ip 1260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe
| MD5 | 4690e66bf12ff6f4e1008fa73f05e00a |
| SHA1 | 747225b04df7949d8763905e91cae03349b72a2d |
| SHA256 | c038930accf215ccd6131b7779c7138e506e313c170abb6cc20d528e306371be |
| SHA512 | 5f2db42d03181647fb97c52aa8ab8b0da9bd6e976cb217d7dd8e917b422a86e00fb11d972f3d6b06a9664c27272fa72fcf8153cac670cf2b7c280b4ff6a1c61b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe
| MD5 | 3a5820a8fee9833d5b486e60502677f5 |
| SHA1 | 42bc63f25deae86b694bf607230909bff91f3b2d |
| SHA256 | 17080a59f7489790629c61c70fde514b70ed5cfed705da159d375e96d3b96b82 |
| SHA512 | d618d39bf9990e1554eb9876e9c13d82e74122745c88ac63a0fcbe978be8135375dce5a0666b129f057c34884e8a86300e2afa808cb4ef6384a04022a7d833c6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1668-21-0x00007FF9F5383000-0x00007FF9F5385000-memory.dmp
memory/1668-22-0x0000000000850000-0x000000000085A000-memory.dmp
memory/1668-23-0x00007FF9F5383000-0x00007FF9F5385000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe
| MD5 | ff1800b6e8f9a60395425226a5a76d1c |
| SHA1 | 0872a5e7a2c25b60df6b1ccceb39d472658ad502 |
| SHA256 | 4fe41b77721fb7a0794c189fa93ad03ad938a6085c77914a0f174b5bc4129ee1 |
| SHA512 | 27585f4743067bc1bfc2dfe048f01779fe10595a52545d6b90e60b67a9fbb0aeb97e75941f4ccd705ba58a96cccc4b00af8c1f3d4d4b5fa8591f62560311911a |
memory/1260-29-0x00000000048D0000-0x00000000048EA000-memory.dmp
memory/1260-30-0x0000000007190000-0x0000000007734000-memory.dmp
memory/1260-31-0x0000000004A30000-0x0000000004A48000-memory.dmp
memory/1260-57-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-55-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-53-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-51-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-49-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-47-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-45-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-43-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-41-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-39-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-37-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-35-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-33-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-59-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-32-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1260-61-0x0000000000400000-0x0000000002B1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe
| MD5 | acf946990cce268bab83e423eba360f4 |
| SHA1 | 0d3bdccf0182f0807380473466d5b6b60f193904 |
| SHA256 | 17cd8db80e084509a543f7ec21399d4f9cf9c8906d6890a3db4da80854bf8d27 |
| SHA512 | aed8bd98b0f033d724091419548880c463be734886c8a5e0b8065a66060b350783221049475d0fad4999425d03b8dcc889e7fbff7b9fd3b1575f1745f3e7f4f1 |
memory/1816-67-0x0000000004A60000-0x0000000004AA6000-memory.dmp
memory/1816-68-0x0000000007120000-0x0000000007164000-memory.dmp
memory/1816-92-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-102-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-100-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-98-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-96-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-94-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-90-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-88-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-86-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-84-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-82-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-80-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-78-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-76-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-74-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-72-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-70-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-69-0x0000000007120000-0x000000000715E000-memory.dmp
memory/1816-975-0x0000000007860000-0x0000000007E78000-memory.dmp
memory/1816-976-0x0000000007F00000-0x000000000800A000-memory.dmp
memory/1816-977-0x0000000008040000-0x0000000008052000-memory.dmp
memory/1816-978-0x0000000008060000-0x000000000809C000-memory.dmp
memory/1816-979-0x00000000081B0000-0x00000000081FC000-memory.dmp