Analysis Overview
SHA256
a20ea0ab1ca65283cd9159a21f6ea1d68985284bd9238692a3dd365994b2ac85
Threat Level: Known bad
The file 49111f64bed0ab901f9a2a7f547cba60_NEAS was found to be: Known bad.
Malicious Activity Summary
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
Launches sc.exe
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 01:44
Reported
2024-05-07 01:47
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
| MD5 | e8980977e58b9fd9c13f524fd8a658d5 |
| SHA1 | 40febb2c8384b6e3426d13992368d20bd66791ce |
| SHA256 | f9348f70f20678feb7d4580f7f2fb02f7c9d7f74d2a97a237e6e69fa2720d29a |
| SHA512 | e7e7c41aa01e310e35a3654ca23f8d7e6b3359b7b1d8e6cad3be1ff90f145d4f0f7cec065558b16d587073f16e1e9ec472b33cd8605eaaf0f2289fb240c7fd17 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
| MD5 | 6d28c016ec3bd44c24eaffbfd4f6594b |
| SHA1 | e0be36cd101a2fbd2ffafb57df853010206f2219 |
| SHA256 | 49d18927a5f28348ab021ec9d18614010944e23c2fadf6c433f0f6490fdfcd44 |
| SHA512 | dda126762aa8c98eacf65122ed652250065c02ec699d4500f712346cf98fd3f940326b2c425175ac3d0a634ba6850071ed98bf3386f6b8a6fe7de1403874eb78 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
| MD5 | 37b5d514093f0f3d0172ca0cb12b33c7 |
| SHA1 | 751d92e88bbe17ffd9305b411102e7bfbdcf661c |
| SHA256 | d2f9e82d090720f093b0e932076e70d26c8a218ba8cff3b0c0ea2bce0685dae0 |
| SHA512 | 260daf462895dd942274cd348c186c99ddf21e84bc8e05ee438050f989fb105afc6284074212c5050206138ead3921b81ceca89d9d3afe1b1fa425b0082788c2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
| MD5 | 62e9646d364ac3efb8354c701b3484e8 |
| SHA1 | 78e60202c2bef0a5317d2c2f83cd89bffb9ae524 |
| SHA256 | 169418cc1306e46283bdd82686d6474b9f19108980c3e414b6590ff9ddc8c9ab |
| SHA512 | af2c9646ea81f710e79c9158d300c2107e6b95845e0412d4f0700e414665179eb188e7750855cefb6ba66492a4ca5a330b4bf7eec14a047cbd9187ea1d5c3fec |
memory/1848-29-0x0000000002910000-0x000000000292A000-memory.dmp
memory/1848-30-0x00000000051D0000-0x0000000005774000-memory.dmp
memory/1848-31-0x0000000002AB0000-0x0000000002AC8000-memory.dmp
memory/1848-39-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-59-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-58-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-55-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-53-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-51-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-49-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-47-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-45-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-41-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-37-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-35-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-43-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-33-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-32-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
memory/1848-61-0x0000000000400000-0x0000000000A67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
| MD5 | 05b6d6ba56e96207d2e4e3a48bbb6e97 |
| SHA1 | 5ee840ebdc955d2e3d8d5987db8dd061daedf012 |
| SHA256 | 895cd5ebc24e7d4c97774f9ffdcdcbb5699c7303646204688a7d8a526ea38551 |
| SHA512 | 05e6e94bc225ab93f93479c9d609f2901662ca5ae0c166802801e880df8565972f217e00711764bd50c1f54bf4c039636e72f997fb3c727888e6540f9c92667e |
memory/4560-66-0x0000000000F90000-0x0000000000FC0000-memory.dmp
memory/4560-67-0x0000000003130000-0x0000000003136000-memory.dmp
memory/4560-68-0x000000000B2B0000-0x000000000B8C8000-memory.dmp
memory/4560-69-0x000000000AE00000-0x000000000AF0A000-memory.dmp
memory/4560-70-0x000000000AD30000-0x000000000AD42000-memory.dmp
memory/4560-71-0x000000000AD90000-0x000000000ADCC000-memory.dmp
memory/4560-72-0x0000000003180000-0x00000000031CC000-memory.dmp