Analysis Overview
SHA256
de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05
Threat Level: Known bad
The file de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer family
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:48
Reported
2024-11-11 06:50
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe
"C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1092
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe
| MD5 | 8141937b23cd1895e561d8e90fdeeff3 |
| SHA1 | 6f810e9e480564f5837461f8ccdd07c951a1bece |
| SHA256 | ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6 |
| SHA512 | 40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec |
memory/4348-8-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/4348-10-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/4348-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4348-11-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/4348-12-0x0000000002180000-0x000000000219A000-memory.dmp
memory/4348-13-0x0000000004CE0000-0x0000000005284000-memory.dmp
memory/4348-14-0x0000000002200000-0x0000000002218000-memory.dmp
memory/4348-15-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-42-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-40-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-38-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-36-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-34-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-32-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-30-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-28-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-26-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-24-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-22-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-20-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-18-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-16-0x0000000002200000-0x0000000002212000-memory.dmp
memory/4348-43-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/4348-44-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4348-47-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/4348-48-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe
| MD5 | 13693461251149817425e66f1206913a |
| SHA1 | 998dbccbd83323f62a3b2b578a9605c0d933630f |
| SHA256 | 8e9c17eef3b9aea25037691c41032485a6bc4b768861ac8da022ae30c76a494a |
| SHA512 | 674b8043f203e5ec1e149775fc5ce7caf78e7a614be365e4dd719093a29ce4c37b7b3683262ce3e15f9df4f3854b63fec0176183766d9baa495b1fe7e4555b62 |
memory/3852-53-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3852-54-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3852-56-0x00000000049A0000-0x00000000049E6000-memory.dmp
memory/3852-55-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3852-57-0x0000000005030000-0x0000000005074000-memory.dmp
memory/3852-58-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-85-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-83-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-81-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-79-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-77-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-75-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-73-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-71-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-69-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-67-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-65-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-63-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-61-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-59-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-91-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-89-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-87-0x0000000005030000-0x000000000506E000-memory.dmp
memory/3852-964-0x00000000050A0000-0x00000000056B8000-memory.dmp
memory/3852-965-0x0000000005740000-0x000000000584A000-memory.dmp
memory/3852-966-0x0000000005880000-0x0000000005892000-memory.dmp
memory/3852-967-0x00000000058A0000-0x00000000058DC000-memory.dmp
memory/3852-968-0x00000000059F0000-0x0000000005A3C000-memory.dmp