Analysis Overview
SHA256
306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c
Threat Level: Known bad
The file 306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:24
Reported
2024-11-10 01:26
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe
"C:\Users\Admin\AppData\Local\Temp\306e1f227d460e2811161a9db8d2eb52a2368b2f98870fa146a9c299cc0a075c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un839051.exe
| MD5 | a816665649e8b31563038aab9464c6da |
| SHA1 | a113ecef58936c2088e5b106cba26d267592bf23 |
| SHA256 | 0b98a3d0a64632829d59796035197460f674dc1ded9cf8c536b597ea90556dbb |
| SHA512 | 011f42de856849dfb0b856743d557f63005ce8daa27717b55e1a2488b8e9193a5ecd6b7fdbe2e201d7871c3417fca120946ff7805bdf865e4650293ffbde52fe |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70066856.exe
| MD5 | 8ec563df95566e56d6784a8e9bdb04d8 |
| SHA1 | 547d38be6d52cd23baa1e86231f9ded7186dc1af |
| SHA256 | 6a2585cdd649bb863a04f967a955974677abd545e7dfc8a1bfedfa8759fb490a |
| SHA512 | b8b9b4b9be6df8f462d1641295a9d6d679128713f9388233570aea31ae6a18402aa2ed8043c68e0b112ded39162f24469a1a903271c7f34cc81d71ae8ea7e9c9 |
memory/4664-15-0x0000000002EE0000-0x0000000002FE0000-memory.dmp
memory/4664-16-0x0000000002CE0000-0x0000000002D0D000-memory.dmp
memory/4664-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4664-18-0x0000000004880000-0x000000000489A000-memory.dmp
memory/4664-19-0x0000000007210000-0x00000000077B4000-memory.dmp
memory/4664-20-0x0000000004C30000-0x0000000004C48000-memory.dmp
memory/4664-46-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-48-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-44-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-42-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-41-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-38-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-37-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-34-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-26-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-32-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-30-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-28-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-24-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-22-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-21-0x0000000004C30000-0x0000000004C43000-memory.dmp
memory/4664-49-0x0000000002EE0000-0x0000000002FE0000-memory.dmp
memory/4664-50-0x0000000002CE0000-0x0000000002D0D000-memory.dmp
memory/4664-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4664-51-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/4664-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425345.exe
| MD5 | a2bc961c8491d30c1e308fd1fc4cc7d7 |
| SHA1 | e6e365d715882b08ae649031b861b9519b25b4ca |
| SHA256 | 16116788d2c4eb69910c5f3ec7cbe2fdbb933ddbbef7699f408d56c7db5688af |
| SHA512 | 5093abe741ec3f4eac8534014770526c403f812450d446a6a9cd86343ab138362c63dfc49be0bbe7cc553726a5a69de20d12ae54179168e0876061675b53b860 |
memory/4664-54-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/3436-60-0x0000000004A40000-0x0000000004A7C000-memory.dmp
memory/3436-61-0x0000000007760000-0x000000000779A000-memory.dmp
memory/3436-73-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-77-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-95-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-93-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-91-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-87-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-85-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-83-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-81-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-79-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-75-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-71-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-69-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-89-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-67-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-65-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-63-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-62-0x0000000007760000-0x0000000007795000-memory.dmp
memory/3436-854-0x0000000009C70000-0x000000000A288000-memory.dmp
memory/3436-855-0x000000000A330000-0x000000000A342000-memory.dmp
memory/3436-856-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/3436-857-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/3436-858-0x00000000049B0000-0x00000000049FC000-memory.dmp