Analysis Overview
SHA256
1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e
Threat Level: Known bad
The file 1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
Detects Healer an antivirus disabler dropper
RedLine payload
RedLine
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:45
Reported
2024-11-10 01:47
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe
"C:\Users\Admin\AppData\Local\Temp\1e7abcdf7bba9dba7555b7db59997ebd962e44368ff0284bcffe846463f5750e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1064
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un142277.exe
| MD5 | 164846ad2082c35af8d719dd1b49a0e6 |
| SHA1 | 2e07a33bb23505f317e720ec2877e241ad2748b7 |
| SHA256 | 5aa2f76898818c41e2db06456ecdd98322ece486a09c561fd1b8359b8823bba6 |
| SHA512 | 3c3782ac79becd17226dfcfcc4fa509f3e9e4c78185f9a6b2635df4cd3787fcd52a9c2b2614f19be55430775a062df8709e95849a8f4ba52a7b8129535fb35b3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un682737.exe
| MD5 | 6d5a9bd0db0c9d2720a71009f3416bbc |
| SHA1 | 394ad5bb5ad2422c08e5c39c60bf50ef5b9a2232 |
| SHA256 | b37c1d3dff5b305a0a43273f45b1e2ff37512c8297cbbc84b338276c38ec23e2 |
| SHA512 | 4e1ee70b56e03385075aaa15b4190e3457c09bd1dca6c3dc3bcd95a6561d093b9bf18dc158a60944f8e7708ff7a8d7a35e6aee868d9545c8341429aa466fde62 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr696125.exe
| MD5 | 846591f285e04961098c5c11d20000fd |
| SHA1 | 1c8ca3a10e0be63a99620837dc7bf6b348354acf |
| SHA256 | 14a279e5b91a0c811af64e46e81a3567a47ad71ef2f925bc9f70abd70941d2bd |
| SHA512 | c60cfd228e06159128430b39ba573f044acf9cb874ff4b48bef2471db617034249e0a4fa3b26af74e3f55987c61c5e02b37b39074bb311f6380d76bbd14c33cf |
memory/1216-22-0x0000000004850000-0x000000000486A000-memory.dmp
memory/1216-23-0x00000000072D0000-0x0000000007874000-memory.dmp
memory/1216-24-0x0000000007150000-0x0000000007168000-memory.dmp
memory/1216-40-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-28-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-52-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-50-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-48-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-46-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-44-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-42-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-39-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-36-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-34-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-32-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-30-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-26-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-25-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1216-53-0x0000000000400000-0x0000000002BB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu772365.exe
| MD5 | 91bbf73b496bf7085e86264edcbbdeb5 |
| SHA1 | 934b2ca9f84d68572adff3c11f42c624d78acdf2 |
| SHA256 | c2542b1ed0adf34994a9aefa49cb848f916c462b911f3331383141e3bf61cd65 |
| SHA512 | 8f6549f1eb575512677d96ac5f2656d5bbbcfb6f5d7073ffe86ba06b66a9dd25c77e351146f7936b5454e043400dd7c0ebf38df6986ab0f1e8f61dae74eef163 |
memory/1216-55-0x0000000000400000-0x0000000002BB5000-memory.dmp
memory/1208-60-0x0000000007000000-0x000000000703C000-memory.dmp
memory/1208-61-0x0000000007790000-0x00000000077CA000-memory.dmp
memory/1208-67-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-75-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-73-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-71-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-69-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-81-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-65-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-63-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-62-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-95-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-93-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-91-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-89-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-87-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-85-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-83-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-79-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-77-0x0000000007790000-0x00000000077C5000-memory.dmp
memory/1208-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp
memory/1208-855-0x000000000A340000-0x000000000A352000-memory.dmp
memory/1208-856-0x000000000A360000-0x000000000A46A000-memory.dmp
memory/1208-857-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/1208-858-0x0000000006AF0000-0x0000000006B3C000-memory.dmp