Analysis Overview
SHA256
ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306
Threat Level: Known bad
The file ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
Healer family
Detects Healer an antivirus disabler dropper
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:47
Reported
2024-11-04 13:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe
"C:\Users\Admin\AppData\Local\Temp\ae029f27440b439695b77423196d9f23ddf03bd5dbfc3753755c898f850c6306.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1801.exe
| MD5 | bf7e39ec562c99d9a2fae026c086e2bf |
| SHA1 | 746bc76f915e254e3858c4a750e3584a356867c0 |
| SHA256 | da08fb395715a877394a52d18e11f88f29f220578a0ce8d8b705dc9a1c9b81bb |
| SHA512 | 0c982c79f8357e04e063a97720d151adc3319f7769a417fa2f5f66891988f3e8b19e6e1b3aa1c9ae47a6176b75b6e53bf034c0bcf404f70f6e52db0c23de8b11 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0680.exe
| MD5 | 1b11e39d05e005c4c7618b85ba4c2856 |
| SHA1 | 337db5f06d086e884e2110b72b45540ff9186359 |
| SHA256 | 90a029153e9d988bc9d2e3de9483a1086d36cb92f31c20a5df412b7522deaed6 |
| SHA512 | 00cbca6f8801b950d7fec64f457fd14a984ec81741a38607f13f3d628849240c979a9ff1fbf9df9e9f57cd7b56d4bc7eb60ec87d977a59b4b35742714482fc0e |
memory/3988-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3988-15-0x0000000002C60000-0x0000000002D60000-memory.dmp
memory/3988-17-0x00000000047A0000-0x00000000047BA000-memory.dmp
memory/3988-18-0x0000000000400000-0x0000000002B7F000-memory.dmp
memory/3988-19-0x0000000007260000-0x0000000007804000-memory.dmp
memory/3988-20-0x0000000007120000-0x0000000007138000-memory.dmp
memory/3988-44-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-48-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-46-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-42-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-40-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-38-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-36-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-34-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-32-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-30-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-28-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-26-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-24-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-22-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-21-0x0000000007120000-0x0000000007132000-memory.dmp
memory/3988-49-0x0000000002C60000-0x0000000002D60000-memory.dmp
memory/3988-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3988-50-0x0000000000400000-0x0000000002B7F000-memory.dmp
memory/3988-53-0x0000000000400000-0x0000000002B7F000-memory.dmp
memory/3988-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5119.exe
| MD5 | 988853f50c2c7c3c9a99f57c9c9912e9 |
| SHA1 | 4507f13547ad4b55559b3e0e7eaf2200d64d0b6c |
| SHA256 | 1f712f3e564fef313b31e185a3766a4226ab6563c4ef1f0a04487f576f2b43b0 |
| SHA512 | cbb0917942862118162c14ac80a1a76ecbddc13806a068fe8d46dad8f67966a775d882db8f5e9f1809a91203a89684b21a23622353e1166c30f4408643c54bd9 |
memory/4996-59-0x0000000004AC0000-0x0000000004B06000-memory.dmp
memory/4996-60-0x0000000004C60000-0x0000000004CA4000-memory.dmp
memory/4996-78-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-94-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-93-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-90-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-88-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-86-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-84-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-82-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-80-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-76-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-74-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-70-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-68-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-66-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-64-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-62-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-72-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-61-0x0000000004C60000-0x0000000004C9F000-memory.dmp
memory/4996-967-0x00000000078A0000-0x0000000007EB8000-memory.dmp
memory/4996-968-0x0000000007EC0000-0x0000000007FCA000-memory.dmp
memory/4996-969-0x00000000072B0000-0x00000000072C2000-memory.dmp
memory/4996-970-0x0000000007FD0000-0x000000000800C000-memory.dmp
memory/4996-971-0x0000000008110000-0x000000000815C000-memory.dmp