Analysis Overview
SHA256
c5a5e030bb0984d90101da82b6135451eabbcccd1d8cc813c5adf1578622d0ce
Threat Level: Known bad
The file c5a5e030bb0984d90101da82b6135451eabbcccd1d8cc813c5adf1578622d0ce was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer
Detects Healer an antivirus disabler dropper
Healer family
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 15:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 15:50
Reported
2024-11-07 15:52
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519916.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un244606.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263937.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c5a5e030bb0984d90101da82b6135451eabbcccd1d8cc813c5adf1578622d0ce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519916.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un244606.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263937.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c5a5e030bb0984d90101da82b6135451eabbcccd1d8cc813c5adf1578622d0ce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519916.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un244606.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c5a5e030bb0984d90101da82b6135451eabbcccd1d8cc813c5adf1578622d0ce.exe
"C:\Users\Admin\AppData\Local\Temp\c5a5e030bb0984d90101da82b6135451eabbcccd1d8cc813c5adf1578622d0ce.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519916.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519916.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un244606.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un244606.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2800 -ip 2800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1100
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4756 -ip 4756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1384
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263937.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263937.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519916.exe
| MD5 | 77041211ac7426f709b9c3ab4517a995 |
| SHA1 | b237a9c11f2a3d855177c735d43f02067f1ecedd |
| SHA256 | 9e9a2659bcd2bdb078e91bd3f3105a3a025254d6ba966d8506adc316831ea758 |
| SHA512 | 3c082cbb1c65e5887428a8c7a85f5872f87f56f33395c951048ef20730558f8bdf387594af421480d8d1a8258d8d2cd79cc4c0f853d713c39fafb61afc09a630 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un244606.exe
| MD5 | a401243d4b1006c87842450ffce70724 |
| SHA1 | 6bc8190395b05f2050a14d4bb5f4d1e236dc8975 |
| SHA256 | de7769405b9f824713a0ba65766c2ccf3860b70018305aa2eb228bdcdfaac529 |
| SHA512 | b61e572d96402ecad6bbde9cef940466ba72c698141ffcacf39bcb2902365da8ce1c7100ec086af7beb4bbc6e91dd5200bd2f3d438470658ac8d23f2b464a375 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr846554.exe
| MD5 | ee8203a2070e1a85005d0d8f28cbd2b0 |
| SHA1 | cd95ca104b4c7a4865957ce9664c2df9a280bb42 |
| SHA256 | f33859b99bc143176a1756f17af93dd7ba1ee82bf0656c7a5be53342920344fd |
| SHA512 | 432504b6ef7eb71243f78bd5c721810fa32c4fbf267c6dc9258457e8861d7b71b32588bbca2eb8c34d69fa5031a47ddfdc7f1984892abbb5fac832f4aefabcc1 |
memory/2800-22-0x00000000006F0000-0x00000000007F0000-memory.dmp
memory/2800-24-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2800-23-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-25-0x0000000002210000-0x000000000222A000-memory.dmp
memory/2800-26-0x0000000004B70000-0x0000000005114000-memory.dmp
memory/2800-27-0x0000000004A40000-0x0000000004A58000-memory.dmp
memory/2800-51-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-55-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-53-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-49-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-47-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-45-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-43-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-42-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-39-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-37-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-35-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-34-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-31-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-29-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-28-0x0000000004A40000-0x0000000004A52000-memory.dmp
memory/2800-56-0x00000000006F0000-0x00000000007F0000-memory.dmp
memory/2800-57-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-58-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2800-60-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2800-61-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu900427.exe
| MD5 | 4f8f2a6194399c93290d0216b5f3d1ec |
| SHA1 | 478c3bf99154b010360d28f1d3dda28f1a33924f |
| SHA256 | cccc02779af85995d706a51b3ae984317464764d7bc1a0471c400bcd2b1b6e5e |
| SHA512 | 9f60cb7255c7a14610edaed75b75950f0e09ffcd571101ef80443dfdb6362cc3d95049b99a039689352fb6d1c43d13efffe813889978da09b813ad57e3e63bdb |
memory/4756-66-0x00000000025D0000-0x0000000002638000-memory.dmp
memory/4756-67-0x0000000004A00000-0x0000000004A66000-memory.dmp
memory/4756-71-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-84-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-101-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-99-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-97-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-95-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-93-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-89-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-87-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-85-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-81-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-79-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-77-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-75-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-73-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-91-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-69-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-68-0x0000000004A00000-0x0000000004A60000-memory.dmp
memory/4756-2210-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/4360-2223-0x0000000000C90000-0x0000000000CBE000-memory.dmp
memory/4360-2224-0x0000000001470000-0x0000000001476000-memory.dmp
memory/4360-2225-0x0000000005CB0000-0x00000000062C8000-memory.dmp
memory/4360-2226-0x00000000057A0000-0x00000000058AA000-memory.dmp
memory/4360-2227-0x0000000005520000-0x0000000005532000-memory.dmp
memory/4360-2228-0x0000000005690000-0x00000000056CC000-memory.dmp
memory/4360-2230-0x00000000056D0000-0x000000000571C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263937.exe
| MD5 | c52ebada00a59ec1f651a0e9fbcef2eb |
| SHA1 | e1941278df76616f1ca3202ef2a9f99d2592d52f |
| SHA256 | 35d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e |
| SHA512 | 6b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2 |
memory/220-2234-0x0000000000E50000-0x0000000000E80000-memory.dmp
memory/220-2235-0x0000000001560000-0x0000000001566000-memory.dmp