Analysis Overview
SHA256
9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f
Threat Level: Known bad
The file 9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 20:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 20:50
Reported
2024-11-04 20:53
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe
"C:\Users\Admin\AppData\Local\Temp\9a44bd74038d3681791bb4e147be1e9220af0d71e9a32a20a59391b43e2d314f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729903.exe
| MD5 | 7b8904205ff2bd06e934aac1c2caa5c4 |
| SHA1 | 3450333d5597f5a51cf15ca45169df25c50ee655 |
| SHA256 | b8c1ac6d3f752ae9590988a1ac0f4415dd3d83ded6a505bf6fe2341e946b82c8 |
| SHA512 | 1142f5590b6da15df48d9af982149e773c3f61886c4b33384de58a9f50ef8c4a4c1f5d71642a0cb092a590a6b7931282b96cd835628827b425d0d562f91763a6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un896666.exe
| MD5 | a59d56c9efa4f4b56a1b12ca3c956566 |
| SHA1 | a0cd1b68a122033557191294155c657eb20d7df3 |
| SHA256 | 59e008dbdb5351cf910c38cf7f97f449698820dd8ec219e73308ee4577a7696a |
| SHA512 | 7e1c5620ac7b5d385d6adf9aa7101e27c578b94c02619fe948986e42536f52fec5849e883276e9362236d8b19969d58368285961c0db220aba446a75a28a762b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr065875.exe
| MD5 | 59d57a1e156f3c9ef62107bd20cfc060 |
| SHA1 | d5225d4625e8d2bfa4cf8dfc758f1037e817a7a6 |
| SHA256 | b7c02a9cec3352314f28c0ec3613392780e517321d8d725583b6a551defda06e |
| SHA512 | 67f507db3e39c505825cf273bc14d2bf48dbb5fde888817eff80240c94b61ab3e1dbded4ab7e389964e1985d992d0eb24b04e26fe112448f3d2f3542c46f4ec9 |
memory/4584-22-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/4584-23-0x0000000002800000-0x000000000281A000-memory.dmp
memory/4584-24-0x0000000005090000-0x0000000005634000-memory.dmp
memory/4584-25-0x0000000004EE0000-0x0000000004EF8000-memory.dmp
memory/4584-26-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-53-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-51-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-49-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-47-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-45-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-43-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-41-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-39-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-37-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-35-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-33-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-31-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-29-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-27-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/4584-55-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/4584-54-0x0000000000400000-0x000000000080A000-memory.dmp
memory/4584-57-0x0000000000400000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu162953.exe
| MD5 | 888fec8a1985d6c2ffe617e12329d330 |
| SHA1 | 9268f1b40c875ff57c41b6ee8170bb17e51df2c3 |
| SHA256 | 971714e3bd11cfecf229b171dd1d7e2214c0f0eb63020903bb6f4d6e9734d20d |
| SHA512 | 7763e23ed7ed276466738b79e4c5266fc9a1e54e3233323b63cd16adbb18d89654ca717ed2f65ca91503b8ca7419e9de304398f2986976aa523e990e4ce97c6f |
memory/4204-62-0x0000000004D70000-0x0000000004DAC000-memory.dmp
memory/4204-63-0x0000000004E30000-0x0000000004E6A000-memory.dmp
memory/4204-65-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-73-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-97-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-95-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-93-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-91-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-89-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-87-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-83-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-81-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-79-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-77-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-75-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-71-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-69-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-67-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-85-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-64-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4204-856-0x0000000007920000-0x0000000007F38000-memory.dmp
memory/4204-857-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/4204-858-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/4204-859-0x00000000080E0000-0x000000000811C000-memory.dmp
memory/4204-860-0x0000000002860000-0x00000000028AC000-memory.dmp