Analysis Overview
SHA256
e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7
Threat Level: Known bad
The file e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer family
Redline family
RedLine
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:53
Reported
2024-11-04 13:55
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe
"C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe
| MD5 | 24cbc64a1cb002b19e0cac53011a45b8 |
| SHA1 | 4c506b57e3368fb13cde2f4a848120de5e75f9ea |
| SHA256 | d18ae409287d91185915d932052c5a7b0e239819eaa9add9b0cc33df22b465e1 |
| SHA512 | 1d1a2607e560ba3f4a216c4973243e2f7eb9af2305fa01f93cdc7bb4a9e2512407367c1a25e9f9d50989369cafd2e5efe56978993604916b0912d16d5a322c48 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
| MD5 | 27463a2931e8a6e9ec63e3db7f68bdd1 |
| SHA1 | 59f19a376027a9802ddbdf0cc09d6c9431930d15 |
| SHA256 | 3a9398dada925220c08513cca236da9fd3c235ff85c0e65fb3b1917dee6dea1b |
| SHA512 | 840fba736c1cbd768919a389d3817f55de605d574ef1c59c68185f57ceb9e3c9627510727c43fc221f430a05bb79e2ba96f34b0ef5587691db638ba8aef57ff8 |
memory/4872-15-0x0000000002E00000-0x0000000002F00000-memory.dmp
memory/4872-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp
memory/4872-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4872-18-0x0000000004A50000-0x0000000004A6A000-memory.dmp
memory/4872-19-0x0000000007140000-0x00000000076E4000-memory.dmp
memory/4872-20-0x00000000076F0000-0x0000000007708000-memory.dmp
memory/4872-46-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-48-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-43-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-40-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-38-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-36-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-34-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-32-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-30-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-28-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-26-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-24-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-22-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-21-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-44-0x00000000076F0000-0x0000000007702000-memory.dmp
memory/4872-49-0x0000000002E00000-0x0000000002F00000-memory.dmp
memory/4872-50-0x0000000002C60000-0x0000000002C8D000-memory.dmp
memory/4872-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4872-51-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/4872-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe
| MD5 | 7ff96e4f98dcfeb94561597349eee69c |
| SHA1 | 9c93afcaed064ddfd6a3e22f0de4a02ff9e976fe |
| SHA256 | c2333ba03da04867bb3a28c8dcc1d10bf88c675bb953d070614c5521933ce92b |
| SHA512 | 47fbbb3ecaf0197bd621fb31ec435ac09874c7c77aaedce757a5aef0da6cf66c78ee351186079d32a477ba812541516859799922dfad99a739dbfb761b4623b2 |
memory/4872-54-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/2036-60-0x0000000004C60000-0x0000000004CA6000-memory.dmp
memory/2036-61-0x0000000007180000-0x00000000071C4000-memory.dmp
memory/2036-85-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-95-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-93-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-91-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-89-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-87-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-83-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-81-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-80-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-77-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-75-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-73-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-71-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-69-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-67-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-65-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-63-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-62-0x0000000007180000-0x00000000071BF000-memory.dmp
memory/2036-968-0x0000000007830000-0x0000000007E48000-memory.dmp
memory/2036-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp
memory/2036-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/2036-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/2036-972-0x0000000008110000-0x000000000815C000-memory.dmp