Analysis Overview
SHA256
3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758
Threat Level: Known bad
The file 3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758 was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
Healer family
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:03
Reported
2024-11-10 02:05
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe
"C:\Users\Admin\AppData\Local\Temp\3fb3b09dc1e302e6144743b63c8635a60965c1885b7515a69ba5a912b0a95758.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1036
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un415414.exe
| MD5 | 1893b9b451bb8e0d8d317f90d85f5493 |
| SHA1 | 84cde6c0aa16d83f394430d533d5030afe88575a |
| SHA256 | 650a7db8a7ddecb3898e026525f9ebe76e7ab4a9ce5487ee6632a89319a4ef60 |
| SHA512 | 93dfd6439f99388cc41cadd83ba44cdb3df623b74030812cdfb255a727dd53cd2040c7c93909f73e0c05ae4f42179e702295ba49abc9b9080caa8b9aa03af9e0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un908948.exe
| MD5 | d11cabe54c940b5be505e55c54d1f163 |
| SHA1 | 3d61ec7b345a47083ec25189aa47df564c793038 |
| SHA256 | 7e9f35469e8e4ab4e794c016e1f36953d27de56eaec39a93a79977818ae1a368 |
| SHA512 | c733fd9442418e4c59018629062cf60b924db99299d5228d4f826efbfa9629478766562257e07b5401c2766d56a00ef37dd2b711bd533918f9a721ea230ace39 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr638351.exe
| MD5 | e83c245c8a48f18ac38182497863ebfc |
| SHA1 | 798b3fceb98199046213086eb8ce4f38fd74fe65 |
| SHA256 | 7b679cabb2a4c7c01af00c44438f4ae183e78a252ba080a6e50ba5622331dab7 |
| SHA512 | 33ebb0f93377808312a28894cf8fa92000b35446b9d33d2bf87ae34ee0c0062e78230b88d754040fbd7c009c55d0de11fa2c51ba0a3744af3e7e6df6484e7a75 |
memory/4864-22-0x0000000000890000-0x0000000000990000-memory.dmp
memory/4864-23-0x0000000002700000-0x000000000271A000-memory.dmp
memory/4864-24-0x0000000005060000-0x0000000005604000-memory.dmp
memory/4864-25-0x0000000002AB0000-0x0000000002AC8000-memory.dmp
memory/4864-33-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-53-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-51-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-49-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-47-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-45-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-43-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-41-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-39-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-37-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-35-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-31-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-29-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-27-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-26-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/4864-55-0x0000000000890000-0x0000000000990000-memory.dmp
memory/4864-54-0x0000000000400000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu372321.exe
| MD5 | 2025d9aa3e89c27c91c96a720886ffd6 |
| SHA1 | b2c9bfce6b1c13f2284eba8b8ebcc1c9e150539c |
| SHA256 | c5bdc5740c7b3ed5496d5cb5bf6a6e48db0332e27f01ae27e7dc3047bce3fc48 |
| SHA512 | dc57d1943f206f7c551956f98f784d90f3095db8ab18fb1e51954dab35a750746b6bd6a00ddd78f34379006512743c00e370d373d5a28768ae1ea47f34cf15d6 |
memory/4864-57-0x0000000000400000-0x000000000080A000-memory.dmp
memory/4784-62-0x00000000027D0000-0x000000000280C000-memory.dmp
memory/4784-63-0x00000000029D0000-0x0000000002A0A000-memory.dmp
memory/4784-75-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-85-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-73-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-71-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-69-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-67-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-65-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-64-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-97-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-96-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-93-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-91-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-89-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-87-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-83-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-81-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-80-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-77-0x00000000029D0000-0x0000000002A05000-memory.dmp
memory/4784-856-0x0000000007930000-0x0000000007F48000-memory.dmp
memory/4784-857-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/4784-858-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/4784-859-0x00000000080E0000-0x000000000811C000-memory.dmp
memory/4784-860-0x0000000002600000-0x000000000264C000-memory.dmp