Analysis Overview
SHA256
73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc
Threat Level: Known bad
The file 73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:57
Reported
2024-11-10 02:00
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe
"C:\Users\Admin\AppData\Local\Temp\73c08502703c77d8f1b8cebd0f77b6b2f4699114001a6e5b30bf94a62b46c8cc.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzn5108vN.exe
| MD5 | 6f1176c5e1d945e7624a6568377e98fa |
| SHA1 | 665fd53298efe4f4ac750254c17e53440f56cbb9 |
| SHA256 | e1f2a9336395ae706cd8db604b38aa069f62fe6f08d2ab6a7439f00f445902ee |
| SHA512 | 8802ec6a56bef5e6089768b7413a1ae40ea3df3b6e19464e840128d74151ef73f3e8df630e9991a06d4e307d0e66543fa3edd4c865afb9182e59661c2a3178ad |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw41qz30FQ75.exe
| MD5 | 8a8fc8960fa86c89634f07b1f4350809 |
| SHA1 | 938652caf06e0b4aa9867279dfa133ab647d23ed |
| SHA256 | 0de60bf1fdef3af1bebbfd8c355a1252136e7b68da1c66364948195dfc20a5df |
| SHA512 | f593348a4233bb3b17bfe2730867b2ccf73bec022f5417c6a383aacf729f9c2efbaf6196f1bfde79a03218c613fec417ef7d74dad05bd80a417676f6d5c9ce8d |
memory/2216-14-0x00007FFC59F03000-0x00007FFC59F05000-memory.dmp
memory/2216-15-0x0000000000B20000-0x0000000000B2A000-memory.dmp
memory/2216-16-0x00007FFC59F03000-0x00007FFC59F05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tRM37KT27.exe
| MD5 | 8543cf3384382f56703a6ee451ac68f3 |
| SHA1 | 353211899c2c986e0d038a11f566e02e3113e113 |
| SHA256 | 2f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf |
| SHA512 | 609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186 |
memory/3184-22-0x0000000004B30000-0x0000000004B76000-memory.dmp
memory/3184-23-0x00000000072B0000-0x0000000007854000-memory.dmp
memory/3184-24-0x00000000071B0000-0x00000000071F4000-memory.dmp
memory/3184-28-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-26-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-25-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-42-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-88-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-86-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-82-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-78-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-76-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-74-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-73-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-70-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-66-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-64-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-62-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-60-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-58-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-56-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-54-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-50-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-48-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-47-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-44-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-40-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-38-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-36-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-34-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-32-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-30-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-84-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-80-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-68-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-52-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/3184-931-0x0000000007860000-0x0000000007E78000-memory.dmp
memory/3184-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp
memory/3184-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/3184-934-0x0000000008000000-0x000000000803C000-memory.dmp
memory/3184-935-0x0000000008150000-0x000000000819C000-memory.dmp