Analysis Overview
SHA256
60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39
Threat Level: Known bad
The file 60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
RedLine
Redline family
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:45
Reported
2024-11-10 01:47
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5064 set thread context of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe
"C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
| MD5 | 923dd840d11ad83a7b8a0aa0ec580bd9 |
| SHA1 | 998c072ba8715c67129b0d4c2e47402b316778ab |
| SHA256 | 2ee4de028dbab8107c78417ed2820c7938a19b036a4ac19ffe323b4bf121f8f2 |
| SHA512 | 487e6e25cc437077e42f3c138f216d5956e8d26152d03bda268f6afe606be64585dd39f45dbbd117ad3a6aeb027466a77b1203b9d2291a5c8c3e1e99c6f62a15 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
| MD5 | e316c2de777d55b98eb76fa4b278de7f |
| SHA1 | 11cac13b2850abeef8d1d359f24fb7865173f6dd |
| SHA256 | bc3e53579b9cde6683fa8d45c6e62e53c6c337e9f0f44ff7808ab58474060c17 |
| SHA512 | ef9c8ea766877b8ae7413d17d565a6a43af6f641fe8e344a0036cd8eb0ac060a3a98c7ce7aa21ffdd7242b4b44d187ab64e966d7af4e50db58bc64d21d6e4104 |
memory/1112-15-0x0000000000480000-0x0000000000580000-memory.dmp
memory/1112-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-17-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1112-18-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1112-19-0x0000000002330000-0x000000000234A000-memory.dmp
memory/1112-20-0x00000000049A0000-0x0000000004F44000-memory.dmp
memory/1112-21-0x0000000004FB0000-0x0000000004FC8000-memory.dmp
memory/1112-22-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-49-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-47-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-46-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-44-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-41-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-40-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-37-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-35-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-33-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-31-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-29-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-27-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-25-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-23-0x0000000004FB0000-0x0000000004FC3000-memory.dmp
memory/1112-50-0x0000000000480000-0x0000000000580000-memory.dmp
memory/1112-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-54-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1112-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
| MD5 | bf70b37bcbd0f719e03a982c6c588d77 |
| SHA1 | 32a932047845ebe2a8a2b22d48dc2af192a18d91 |
| SHA256 | 17ed923cb1e879ec89be82253dbfda9a6d14d4f1272706bd340f589df2874279 |
| SHA512 | 27e03eabf35e3c507fb943b4953e1919c386ef986683d81e650a0dda5185907eb032e1acb3fa493f8e768b36439ddf61e2cfea76979d001c4986a609f588e0bd |
memory/1496-60-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1496-64-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1496-62-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1496-68-0x00000000021F0000-0x000000000222C000-memory.dmp
memory/1496-70-0x0000000004A50000-0x0000000004A8A000-memory.dmp
memory/2160-69-0x0000000000E70000-0x0000000000E98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
| MD5 | e1c805d3cefe221689da30b8a2d944f2 |
| SHA1 | a9a94fd89ed22c2a127c81f6e57f822eae1d9f26 |
| SHA256 | 32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a |
| SHA512 | 7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7 |
memory/1496-72-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-100-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-98-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-96-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-95-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-92-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-90-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-89-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-86-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-84-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-82-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-80-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-78-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-76-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-74-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/1496-71-0x0000000004A50000-0x0000000004A85000-memory.dmp
memory/2160-282-0x0000000008160000-0x0000000008778000-memory.dmp
memory/2160-465-0x0000000007D00000-0x0000000007E0A000-memory.dmp
memory/2160-713-0x0000000007C30000-0x0000000007C6C000-memory.dmp
memory/2160-464-0x0000000007BD0000-0x0000000007BE2000-memory.dmp
memory/2160-867-0x0000000005070000-0x00000000050BC000-memory.dmp