Analysis Overview
SHA256
d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75
Threat Level: Known bad
The file d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75 was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
RedLine payload
Healer
RedLine
Modifies Windows Defender Real-time Protection settings
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:48
Reported
2024-11-10 00:50
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe
"C:\Users\Admin\AppData\Local\Temp\d60e64d13ecbd0edc597e82a0cf6b4e153e86a28a1b6523378f3cc21f0cd5d75.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| FI | 77.91.124.251:19069 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.251:19069 | tcp | |
| FI | 77.91.124.251:19069 | tcp | |
| FI | 77.91.124.251:19069 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2258387.exe
| MD5 | 4192dcec8a09c53db7392d97dce22c1d |
| SHA1 | 0a6185daed30c6e50ebc719a88b6570b1630508b |
| SHA256 | 5f68d1fb8a272e948f4f73a88c4cbed5c54f5c1e1912ab1d50003eafd1ea1bf1 |
| SHA512 | 27f32c0e316f1cf1f700d04eafa0c50e1e697fe95638ce4d1239d5aa6defdb2a33d6b752eba7b376df16fba00c4c8a2b4aa84406d944e672c978b3e707fc11de |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4159681.exe
| MD5 | 31efd3ebb928fab6d261e5f67a9e4970 |
| SHA1 | 054ebca622f337e29b83c1b25a72f9f51a096cec |
| SHA256 | c59ad7f60e981d83514332bcc94513434f262142c0ba171ba0e21186fc232a6d |
| SHA512 | b70f630c51d8a88ac98f1b7033e622f2e97c9661407aee46a2ffc60dcfff8f5769aa257d5626829b3bd28d405591d91c8bb13d49a2c93ec9a6382ba6ac8c3d2d |
memory/2820-14-0x0000000073E2E000-0x0000000073E2F000-memory.dmp
memory/2820-15-0x00000000024C0000-0x00000000024DA000-memory.dmp
memory/2820-16-0x0000000073E20000-0x00000000745D0000-memory.dmp
memory/2820-17-0x0000000004AB0000-0x0000000005054000-memory.dmp
memory/2820-18-0x0000000005080000-0x0000000005098000-memory.dmp
memory/2820-19-0x0000000073E20000-0x00000000745D0000-memory.dmp
memory/2820-31-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-47-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-45-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-43-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-41-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-39-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-37-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-35-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-33-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-29-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-27-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-25-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-23-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-21-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-20-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2820-48-0x0000000073E20000-0x00000000745D0000-memory.dmp
memory/2820-49-0x0000000073E2E000-0x0000000073E2F000-memory.dmp
memory/2820-50-0x0000000073E20000-0x00000000745D0000-memory.dmp
memory/2820-52-0x0000000073E20000-0x00000000745D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8291268.exe
| MD5 | 0d79f2e411dc275f0a96fed19d0ee0f7 |
| SHA1 | a6aec4f7c5bc82c1e4ec4b5bf1adbc65d18452e9 |
| SHA256 | 59eade537224d7c4f5f79baea68cbe4400d0fa273b8849ebfdb2667eac7068fe |
| SHA512 | e048878812f790218b9a5ba65290ddb17543146ea0e883faf008a1438547e0917d4d1a67b08e95bd73b874e3497c312309c53cccc259abfe181cbcb5a6fbc834 |
memory/2728-56-0x0000000000630000-0x0000000000658000-memory.dmp
memory/2728-57-0x0000000007900000-0x0000000007F18000-memory.dmp
memory/2728-58-0x0000000007390000-0x00000000073A2000-memory.dmp
memory/2728-59-0x00000000074C0000-0x00000000075CA000-memory.dmp
memory/2728-60-0x0000000007410000-0x000000000744C000-memory.dmp
memory/2728-61-0x0000000007450000-0x000000000749C000-memory.dmp