Analysis Overview
SHA256
2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570
Threat Level: Known bad
The file 2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine
Healer family
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:14
Reported
2024-11-13 15:16
Platform
win10v2004-20241007-en
Max time kernel
112s
Max time network
119s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe
"C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe
| MD5 | bc51a9e8040b1382777a3460776c5c3f |
| SHA1 | fd603bf51005e17db870261017fa5133f32e330d |
| SHA256 | f88632042070ab6f96d125d2c01f6697f8b7916cb74d1168bf2bf1f0623562a2 |
| SHA512 | 3515e0b6ae26b5eac996c4cf0a7810e2adca0104184280e9fa69b2fa46b7180bf3722d0e75fbc3444d0026fae09d9f5dbf93147e2939ae3df3fe45f425bda6d0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe
| MD5 | 3ebd2d0de0dda7f5f801bb87d8ad0f44 |
| SHA1 | 074fb4c3a5affa0e604b636b83be3164421f2d12 |
| SHA256 | dfc11e034c2970239e3e0df7abdba97cef691e619876804ed18c7ed946fcb01a |
| SHA512 | dea9c987fa93bcc2887e94808d97134a6dce9f9e74cc7e12ce9579d39043bdaf34338daac2e89894e1892e3a8291ec111520e8430af7a9bb1f918a48cac90dfc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1124-21-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/1124-22-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe
| MD5 | c7a6a881515eb7ab0d1c3f67455ca980 |
| SHA1 | f201499e8d0b2fd82f78687f5a23320b236a6881 |
| SHA256 | b13855be933840cc9ae22ee6887717cea2a45b9550e6ab4b610c42c795d501b7 |
| SHA512 | d64e309bf4ad1fa5a17fdf529db3258260ff5c718d828bb86ba1c5b621064724a319396392cc546642f012f7dd9cea4aa21ef254a98fd8e1fa3a9b86e4eda644 |
memory/4952-28-0x0000000002440000-0x000000000245A000-memory.dmp
memory/4952-29-0x0000000004B70000-0x0000000005114000-memory.dmp
memory/4952-30-0x0000000004A60000-0x0000000004A78000-memory.dmp
memory/4952-31-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-38-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-58-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-56-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-54-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-52-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-50-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-48-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-46-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-44-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-42-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-40-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-36-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-34-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-32-0x0000000004A60000-0x0000000004A72000-memory.dmp
memory/4952-59-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/4952-61-0x0000000000400000-0x00000000004BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe
| MD5 | 67fea7c362f13f92f2028ad800e6a0eb |
| SHA1 | 5624b717fc92e019a210d1e863992ab5b6b0b851 |
| SHA256 | 245cd72755fd00b3f3f36d5b08f0ba395f363094655a8fd6a54f2ed4273343e9 |
| SHA512 | 7c38a6c450e8bf8ae09586eada676395eca117078764bf1a2fed75f4eae22084aa293fbeb07fba5443c3c7af53eb98007606f5d1db5f4159f31864291095394f |
memory/4472-66-0x00000000025C0000-0x0000000002606000-memory.dmp
memory/4472-67-0x0000000004AD0000-0x0000000004B14000-memory.dmp
memory/4472-93-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-101-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-99-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-97-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-95-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-91-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-89-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-87-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-85-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-83-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-81-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-79-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-77-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-75-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-73-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-71-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-69-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-68-0x0000000004AD0000-0x0000000004B0E000-memory.dmp
memory/4472-974-0x00000000051F0000-0x0000000005808000-memory.dmp
memory/4472-975-0x0000000005810000-0x000000000591A000-memory.dmp
memory/4472-976-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/4472-977-0x0000000005920000-0x000000000595C000-memory.dmp
memory/4472-978-0x0000000005A60000-0x0000000005AAC000-memory.dmp