Analysis Overview
SHA256
6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd
Threat Level: Known bad
The file 6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
RedLine payload
Healer family
Modifies Windows Defender Real-time Protection settings
Redline family
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:48
Reported
2024-11-10 00:50
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe
"C:\Users\Admin\AppData\Local\Temp\6df258d780c728ca060dc16da8f830cb5a989187d38bc99a74597df9d25ef1dd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1076
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899115.exe
| MD5 | 9e6de9329eef1cfb57af938f064f5794 |
| SHA1 | ada9daf1bd6a414de05c8f75961c2d866b513e1a |
| SHA256 | 63bf39d53d4996c5fd5dfb625bf2a299d01fb8f47902bd549b0779d43c6bbec8 |
| SHA512 | df26de995cb28ce280bf4b150107f727fc746978477967578c82b4569cd780695841608bbd2e48e98e05f03d152fc07f34202b2afd5c916ea69d795f9ce8c32c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr938007.exe
| MD5 | e548f46d8f6f68b524aeaa561970750b |
| SHA1 | 0bbd0950e2e5bc0df8465c0f3c7461b69050bb54 |
| SHA256 | 79a000a3eeaae5f078a3c8d2b8d5e9b6037d0258f1abd60d9de5dbe3a56e977f |
| SHA512 | e6a37e6d1774a3ee5f6c53ae5e32d66eb179882671513f3c6f476072c7ee46b1ea58459dfc759667891f6dd2a4dda940e49f34d31a7363cfccbac13d6210cf9e |
memory/2084-15-0x0000000002F00000-0x0000000003000000-memory.dmp
memory/2084-16-0x0000000002C90000-0x0000000002CBD000-memory.dmp
memory/2084-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2084-18-0x0000000002E70000-0x0000000002E8A000-memory.dmp
memory/2084-19-0x00000000073F0000-0x0000000007994000-memory.dmp
memory/2084-20-0x00000000048F0000-0x0000000004908000-memory.dmp
memory/2084-26-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-46-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-48-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-45-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-42-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-40-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-38-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-37-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-34-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-32-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-30-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-28-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-24-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-22-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-21-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/2084-49-0x0000000002F00000-0x0000000003000000-memory.dmp
memory/2084-50-0x0000000002C90000-0x0000000002CBD000-memory.dmp
memory/2084-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2084-51-0x0000000000400000-0x0000000002BB1000-memory.dmp
memory/2084-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu550764.exe
| MD5 | 0c22d75e5b6393c3703fb937f5a5483f |
| SHA1 | 6af6fc45cf79ab2ab416c69a66650a684a85cd4d |
| SHA256 | d5d5525308f4a1b6f3bbc48f0595cbe1c9ec7d7a7317ff220e2c97c1356556c6 |
| SHA512 | 1e92508e4ef2ceade5af0d932834a6ec9b3a7618d394c8c2b39ccef9de439a2d79ca3729e7ccee6c4d6985c55ea092ad89cd73669400c0dfe873abb3d047c994 |
memory/2084-54-0x0000000000400000-0x0000000002BB1000-memory.dmp
memory/5056-60-0x0000000004AC0000-0x0000000004AFC000-memory.dmp
memory/5056-61-0x0000000004B50000-0x0000000004B8A000-memory.dmp
memory/5056-81-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-85-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-83-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-95-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-93-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-91-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-89-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-87-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-79-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-77-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-75-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-73-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-71-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-69-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-67-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-65-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-63-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-62-0x0000000004B50000-0x0000000004B85000-memory.dmp
memory/5056-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp
memory/5056-855-0x000000000A350000-0x000000000A362000-memory.dmp
memory/5056-856-0x000000000A370000-0x000000000A47A000-memory.dmp
memory/5056-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp
memory/5056-858-0x00000000049B0000-0x00000000049FC000-memory.dmp