Analysis Overview
SHA256
7c41e2c8e2a877a530ed4115bcae57075397c78f55b9ea85486d876e89ce0208
Threat Level: Known bad
The file 7c41e2c8e2a877a530ed4115bcae57075397c78f55b9ea85486d876e89ce0208N.exe was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Redline family
Detects Healer an antivirus disabler dropper
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:44
Reported
2024-11-13 13:46
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp958957.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7c41e2c8e2a877a530ed4115bcae57075397c78f55b9ea85486d876e89ce0208N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7c41e2c8e2a877a530ed4115bcae57075397c78f55b9ea85486d876e89ce0208N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp958957.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp958957.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c41e2c8e2a877a530ed4115bcae57075397c78f55b9ea85486d876e89ce0208N.exe
"C:\Users\Admin\AppData\Local\Temp\7c41e2c8e2a877a530ed4115bcae57075397c78f55b9ea85486d876e89ce0208N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp958957.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp958957.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it712356.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3392-7-0x00007FFAC8BA3000-0x00007FFAC8BA5000-memory.dmp
memory/3392-8-0x0000000000170000-0x000000000017A000-memory.dmp
memory/3392-9-0x00007FFAC8BA3000-0x00007FFAC8BA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kp958957.exe
| MD5 | 7aa33a8967fe0f1eaa4e25ec335a9e93 |
| SHA1 | 1ec8b39c62bdd3af40488e9c6641910ef7caa355 |
| SHA256 | 75228d3cc4d09967419892b4b72d88641242e15593b4d9888e55ccbf0de1adab |
| SHA512 | 20e9c68d860091a8f2b2700dcc5c6bbcc324d33474e0dba2e76c707b49a4af4a7b58cd9e8a9641cca2adeb7bd77494ba9413f682c799d8a7823e94cdfee86208 |
memory/4924-15-0x0000000002BE0000-0x0000000002CE0000-memory.dmp
memory/4924-16-0x0000000002CE0000-0x0000000002D26000-memory.dmp
memory/4924-17-0x0000000000400000-0x0000000000449000-memory.dmp
memory/4924-18-0x0000000004930000-0x000000000496C000-memory.dmp
memory/4924-19-0x0000000007370000-0x0000000007914000-memory.dmp
memory/4924-20-0x00000000072F0000-0x000000000732A000-memory.dmp
memory/4924-32-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-84-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-82-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-80-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-78-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-76-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-74-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-72-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-70-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-66-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-64-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-63-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-58-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-56-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-54-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-52-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-50-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-48-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-46-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-44-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-42-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-40-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-38-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-36-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-34-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-30-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-28-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-26-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-68-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-60-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-24-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-22-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-21-0x00000000072F0000-0x0000000007325000-memory.dmp
memory/4924-813-0x0000000009DE0000-0x000000000A3F8000-memory.dmp
memory/4924-814-0x000000000A490000-0x000000000A4A2000-memory.dmp
memory/4924-815-0x000000000A4B0000-0x000000000A5BA000-memory.dmp
memory/4924-816-0x000000000A610000-0x000000000A64C000-memory.dmp
memory/4924-817-0x0000000004AA0000-0x0000000004AEC000-memory.dmp
memory/4924-818-0x0000000002BE0000-0x0000000002CE0000-memory.dmp
memory/4924-819-0x0000000002CE0000-0x0000000002D26000-memory.dmp
memory/4924-821-0x0000000000400000-0x0000000000449000-memory.dmp