Analysis Overview
SHA256
97e98342be8ffedf722a3598239d99306899d3c6411a29c5bb637f459a01bf91
Threat Level: Known bad
The file 97e98342be8ffedf722a3598239d99306899d3c6411a29c5bb637f459a01bf91 was found to be: Known bad.
Malicious Activity Summary
RedLine
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Redline family
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:54
Reported
2024-11-09 03:57
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un052253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\97e98342be8ffedf722a3598239d99306899d3c6411a29c5bb637f459a01bf91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un052253.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\97e98342be8ffedf722a3598239d99306899d3c6411a29c5bb637f459a01bf91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un052253.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97e98342be8ffedf722a3598239d99306899d3c6411a29c5bb637f459a01bf91.exe
"C:\Users\Admin\AppData\Local\Temp\97e98342be8ffedf722a3598239d99306899d3c6411a29c5bb637f459a01bf91.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un052253.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un052253.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3500 -ip 3500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1004
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un052253.exe
| MD5 | d9559107cb1a2a85ec1ab63e932db10a |
| SHA1 | 1f0cbbbbe4400d531f833b3948c78168902553d7 |
| SHA256 | 13c6a5c338bda947f25ac30aea92084d0a78b4dfa462f5cc0c6a2a49258c8ef6 |
| SHA512 | 0ef857a35a80e0a71fce2bafd73d2330bee4af629161f819b419622b798ad45c842bc522b17da741fb82ac26d0f6db3f0d82ebc45510ac96c8b6499ef42d7611 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7562.exe
| MD5 | f947cd7e94a5dbaae4b30c3910830fcb |
| SHA1 | cb05654d0a97e0022e3388d47a5f7ce944b04c2f |
| SHA256 | 83cdb8b9f7b3bd70665a1ac521a45630b8e8318fe83c05090e04ade1f2b78d8f |
| SHA512 | e10621db1757ab44be4da8dadcdd8980d28da143929ce2ccb17a36a2ca5a9837da0d8f237f070a5a2a289ffd2aa7bed69668b851516ae074ec28352596f32f79 |
memory/3500-15-0x0000000000530000-0x0000000000630000-memory.dmp
memory/3500-16-0x0000000000500000-0x000000000052D000-memory.dmp
memory/3500-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3500-18-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/3500-19-0x00000000023B0000-0x00000000023CA000-memory.dmp
memory/3500-20-0x0000000004BC0000-0x0000000005164000-memory.dmp
memory/3500-21-0x0000000002520000-0x0000000002538000-memory.dmp
memory/3500-22-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-49-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-47-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-45-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-43-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-41-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-39-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-37-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-36-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-33-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-31-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-29-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-27-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-25-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-23-0x0000000002520000-0x0000000002532000-memory.dmp
memory/3500-50-0x0000000000530000-0x0000000000630000-memory.dmp
memory/3500-51-0x0000000000500000-0x000000000052D000-memory.dmp
memory/3500-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3500-55-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/3500-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5886.exe
| MD5 | b0185a3a2f66c1da4a5d7213c0e6ecbe |
| SHA1 | afbeb104c16fef3ebb94655dbe770630fd8a599e |
| SHA256 | 274a39f8cfe8fc747c8de88f63db69022637320301671d3c57a9cce1c3b89dba |
| SHA512 | 8263d4b63410b3cc1b5cbcb87d5cd5f29712eb55fd7bc73d6eafe3183e2a3cb247fb21981e29807a22db6b813a8578d086624db670086b674932680960cfd9d8 |
memory/4020-61-0x0000000002590000-0x00000000025D6000-memory.dmp
memory/4020-62-0x0000000004A90000-0x0000000004AD4000-memory.dmp
memory/4020-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-96-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-94-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-90-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-92-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4020-969-0x0000000005180000-0x0000000005798000-memory.dmp
memory/4020-970-0x00000000057A0000-0x00000000058AA000-memory.dmp
memory/4020-971-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/4020-972-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/4020-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp