Analysis Overview
SHA256
66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce
Threat Level: Known bad
The file 66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Healer
Healer family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:36
Reported
2024-11-10 01:38
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe
"C:\Users\Admin\AppData\Local\Temp\66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe
| MD5 | 57e03981222c9768f83c577d04fda2f4 |
| SHA1 | 5b5d48ffc94d1ad9adf2a58dee1d973df86aee08 |
| SHA256 | 8e793a1eba35e111a02fd5786faee133a26217540010efebbba52eea9eed1879 |
| SHA512 | 7857feb6b030488bd6a58c5e34e1cfc7d405f82665eb09652fbe14f2285a4823b24bcfe59a58c0c578c1f567257cc90c53f0f2ada271559541a0856d10d307d2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe
| MD5 | 04e0291e7375ab4d75e1f27ebb29c325 |
| SHA1 | d9a645fb94b5a43a835ddd88b3f741a311e383f8 |
| SHA256 | b6df3fd706c1066082087ca0c9fb699f83042b1714a31d1e4121e3768ed6d6ab |
| SHA512 | f3a3c67b529a4b1ffb7191ff6012b6b67181463a8317610f2c32fa4fd176c2d52111e04acf93986896b4ef440085385b14b023a1f442b04f16d3e3fdfc25503e |
memory/4212-14-0x00007FFB677E3000-0x00007FFB677E5000-memory.dmp
memory/4212-15-0x00000000006B0000-0x00000000006BA000-memory.dmp
memory/4212-16-0x00007FFB677E3000-0x00007FFB677E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe
| MD5 | d918db9077504212d04e97bc5857b710 |
| SHA1 | cbac3bfca65f8dfe4efd408bcf480f3d603f1d06 |
| SHA256 | ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3 |
| SHA512 | f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187 |
memory/4268-22-0x0000000007280000-0x00000000072C6000-memory.dmp
memory/4268-23-0x00000000072C0000-0x0000000007864000-memory.dmp
memory/4268-24-0x00000000078B0000-0x00000000078F4000-memory.dmp
memory/4268-38-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-50-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-88-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-86-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-84-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-80-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-78-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-76-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-74-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-72-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-70-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-68-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-66-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-64-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-62-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-58-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-56-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-54-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-52-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-48-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-46-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-44-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-42-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-40-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-34-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-32-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-30-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-82-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-60-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-36-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-28-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-26-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-25-0x00000000078B0000-0x00000000078EE000-memory.dmp
memory/4268-931-0x0000000007950000-0x0000000007F68000-memory.dmp
memory/4268-932-0x0000000007FF0000-0x00000000080FA000-memory.dmp
memory/4268-933-0x0000000008130000-0x0000000008142000-memory.dmp
memory/4268-934-0x0000000008150000-0x000000000818C000-memory.dmp
memory/4268-935-0x00000000082A0000-0x00000000082EC000-memory.dmp