Analysis Overview
SHA256
541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1
Threat Level: Known bad
The file 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
Healer family
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 19:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 19:52
Reported
2024-11-12 19:54
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
121s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe
"C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe
| MD5 | ce27553a2a3454e82a427b2a8a7847b8 |
| SHA1 | 572ce8d9daf60ba37132dfef202a22bf1db391e0 |
| SHA256 | 97734c5b3a6cc99d4baaafd1ca3e844e27b35b5c2072b2dd2fc258b3504a5373 |
| SHA512 | 036a00e8a137b9d746573598d4b4d51fe9c5f835abe72af0992261fc96e7a6d575209f4daafdeb6910fffcf7ef85fc10a42957c3d5c25d76b55c5fb31b1fda37 |
memory/3272-8-0x0000000000880000-0x0000000000980000-memory.dmp
memory/3272-10-0x0000000000400000-0x00000000006C9000-memory.dmp
memory/3272-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3272-11-0x0000000000400000-0x00000000006C9000-memory.dmp
memory/3272-12-0x0000000002250000-0x000000000226A000-memory.dmp
memory/3272-13-0x0000000004CC0000-0x0000000005264000-memory.dmp
memory/3272-14-0x0000000004C60000-0x0000000004C78000-memory.dmp
memory/3272-34-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-40-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-38-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-36-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-33-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-30-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-29-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-26-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-24-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-42-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-22-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-20-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-18-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-17-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-15-0x0000000004C60000-0x0000000004C72000-memory.dmp
memory/3272-43-0x0000000000880000-0x0000000000980000-memory.dmp
memory/3272-44-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3272-47-0x0000000000400000-0x00000000006C9000-memory.dmp
memory/3272-48-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe
| MD5 | df9334955bb2461c384e61f8f8d7a628 |
| SHA1 | 8a277eeb18bf974fdd58c5e5825c6779fde6ae51 |
| SHA256 | 827f9a77b86cb4745363cfeb07be2d2ab04149536a4085324289b9de1011bb5e |
| SHA512 | 0055f0fe6417ff86d1d1ccb4cf8af88e1c481b325366922d1829281d1d3b957a54efaafa12f6fd8249ed96e1985d50f44d9aca8600e9fc2bcb5deec40a28019c |
memory/1308-53-0x0000000000D80000-0x0000000000DB0000-memory.dmp
memory/1308-52-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/1308-54-0x0000000002EF0000-0x0000000002EF6000-memory.dmp
memory/1308-55-0x000000000B080000-0x000000000B698000-memory.dmp
memory/1308-56-0x000000000ABF0000-0x000000000ACFA000-memory.dmp
memory/1308-57-0x000000000AB20000-0x000000000AB32000-memory.dmp
memory/1308-59-0x00000000746B0000-0x0000000074E60000-memory.dmp
memory/1308-58-0x000000000AB80000-0x000000000ABBC000-memory.dmp
memory/1308-60-0x0000000005030000-0x000000000507C000-memory.dmp
memory/1308-61-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/1308-62-0x00000000746B0000-0x0000000074E60000-memory.dmp