Analysis Overview
SHA256
18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42
Threat Level: Known bad
The file 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine payload
Redline family
Detects Healer an antivirus disabler dropper
Healer
RedLine
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:53
Reported
2024-11-11 05:56
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe
"C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe
| MD5 | 7c45d2af19d7d2df103bf8f5b2d998c6 |
| SHA1 | 0d0926970d9c1f69e4680bd66ff05c54e91e490e |
| SHA256 | 510797b333d7c78b8768085664399e7def03c85ab4901a3ac9038452ad69978a |
| SHA512 | 61318989d9e8ab1ce5f365a63d696713e36629c0db398429c504aa243f1b880dc268534a27b93ae20b0bfb80c2c578799dba0aa369e719b7232b9a573bb40fdc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe
| MD5 | 7e3e91c47e76d39d1538a776ddf60a97 |
| SHA1 | 13c80493883115b4caec7c829fdf61ea94abef5a |
| SHA256 | 945c12d10118478481fcabf0431ac8c6cf5ad91298f1838ef4705e0fe2bafcb5 |
| SHA512 | 548c8465c0aead82426299ccd107b35764f506c8d83afe0572c0664c180ae1cb76658019a1200eb929b22f3d606333ea0c26dfbac61c9c7037a07066394ff926 |
memory/1064-15-0x00007FF8164C3000-0x00007FF8164C5000-memory.dmp
memory/1064-14-0x00000000002F0000-0x00000000002FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe
| MD5 | 249978248eadf5f91425671a026f54a0 |
| SHA1 | 80596f205182dcbeb05b93e5cdb77a067c723cf1 |
| SHA256 | 0acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682 |
| SHA512 | aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14 |
memory/4568-21-0x0000000002710000-0x0000000002756000-memory.dmp
memory/4568-22-0x0000000004D60000-0x0000000005304000-memory.dmp
memory/4568-23-0x0000000004CA0000-0x0000000004CE4000-memory.dmp
memory/4568-81-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-87-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-85-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-83-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-79-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-77-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-75-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-71-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-69-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-67-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-65-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-63-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-59-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-55-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-53-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-51-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-49-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-47-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-45-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-43-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-41-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-39-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-33-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-31-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-29-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-57-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-35-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-27-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-25-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-24-0x0000000004CA0000-0x0000000004CDE000-memory.dmp
memory/4568-930-0x0000000005310000-0x0000000005928000-memory.dmp
memory/4568-931-0x00000000059A0000-0x0000000005AAA000-memory.dmp
memory/4568-932-0x0000000005AE0000-0x0000000005AF2000-memory.dmp
memory/4568-933-0x0000000005B00000-0x0000000005B3C000-memory.dmp
memory/4568-934-0x0000000005C50000-0x0000000005C9C000-memory.dmp