Analysis Overview
SHA256
0bf2273fe4b3d881f9b18e77bbef59723ee865c84b632b944b34d6e21462d77b
Threat Level: Known bad
The file 0bf2273fe4b3d881f9b18e77bbef59723ee865c84b632b944b34d6e21462d77bN.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Redline family
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:35
Reported
2024-11-13 13:37
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk941139.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0bf2273fe4b3d881f9b18e77bbef59723ee865c84b632b944b34d6e21462d77bN.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0bf2273fe4b3d881f9b18e77bbef59723ee865c84b632b944b34d6e21462d77bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk941139.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk941139.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bf2273fe4b3d881f9b18e77bbef59723ee865c84b632b944b34d6e21462d77bN.exe
"C:\Users\Admin\AppData\Local\Temp\0bf2273fe4b3d881f9b18e77bbef59723ee865c84b632b944b34d6e21462d77bN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk941139.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk941139.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\38463914.exe
| MD5 | 426dc5cf8b67df386d05b0667ce241f0 |
| SHA1 | 5f09f0e64e7ad1600363d3fa36a3325f2e477d3f |
| SHA256 | 21ebe05f2466efb1dc85654d0f99e95cdbf2c0e4dc5acad1cacc3d898da1fc72 |
| SHA512 | fa7146c374f44639be60e2b9eded41f914f049fb63643756d3afc08185955e1bb47f4dd7900dac972c2f059d20f4a5a8dadb85a3f53db109cedd9f136edd87fc |
memory/536-8-0x0000000000810000-0x0000000000910000-memory.dmp
memory/536-9-0x0000000000A00000-0x0000000000A2D000-memory.dmp
memory/536-10-0x0000000000400000-0x0000000000430000-memory.dmp
memory/536-11-0x0000000000400000-0x0000000000803000-memory.dmp
memory/536-12-0x00000000024C0000-0x00000000024DA000-memory.dmp
memory/536-13-0x0000000005000000-0x00000000055A4000-memory.dmp
memory/536-14-0x0000000002A50000-0x0000000002A68000-memory.dmp
memory/536-42-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-40-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-38-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-36-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-34-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-32-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-30-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-28-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-26-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-24-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-22-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-20-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-18-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-16-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-15-0x0000000002A50000-0x0000000002A62000-memory.dmp
memory/536-43-0x0000000000810000-0x0000000000910000-memory.dmp
memory/536-44-0x0000000000A00000-0x0000000000A2D000-memory.dmp
memory/536-45-0x0000000000400000-0x0000000000430000-memory.dmp
memory/536-49-0x0000000000400000-0x0000000000430000-memory.dmp
memory/536-48-0x0000000000400000-0x0000000000803000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk941139.exe
| MD5 | 94d93fdbb31954268f0bf3c3ad959b35 |
| SHA1 | d20336642b935a1412b38d725241e4ff1e8fa810 |
| SHA256 | 7e54c68fdc404bc511812487b683e2ae4364c72a6cbfc5c837a2244194e4bfd6 |
| SHA512 | 8d0d1b8d2f1b27b353508d144c05374c4b0834e4d802c04ddacb9fdb26bac79044c8f627b45cf0dd9dc3c7035f2f13b32e724dd343358f1aacf9ad21df4959a5 |
memory/1044-57-0x0000000004E30000-0x0000000004E6A000-memory.dmp
memory/1044-56-0x0000000000400000-0x0000000000817000-memory.dmp
memory/1044-54-0x0000000000400000-0x0000000000817000-memory.dmp
memory/1044-55-0x0000000002810000-0x000000000284C000-memory.dmp
memory/1044-91-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-89-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-87-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-85-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-83-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-81-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-79-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-77-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-75-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-73-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-71-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-69-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-67-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-65-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-63-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-61-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-59-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-58-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/1044-850-0x0000000007930000-0x0000000007F48000-memory.dmp
memory/1044-851-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/1044-852-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/1044-853-0x00000000080E0000-0x000000000811C000-memory.dmp
memory/1044-854-0x00000000028A0000-0x00000000028EC000-memory.dmp