Analysis Overview
SHA256
293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b
Threat Level: Known bad
The file 293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:04
Reported
2024-11-09 05:06
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe
"C:\Users\Admin\AppData\Local\Temp\293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe
| MD5 | bc7e8f80f37c8421e0a8cc28f1b935f0 |
| SHA1 | 28cb0137298019588e6ac7ef89bda4c20f374df8 |
| SHA256 | 3a1db85e182fbca5ac7c604a9a22d3bfcebe8eec55e95772df446fe38134663c |
| SHA512 | 6e4d5a4e44cc62c3787b45bd51b146f54177063c0206e8e9d8d7727e3d24c13b2bf8ee94c95597eb8b6b77ca42be837a83817186d3ffd3b6a8a9d191bfac4ea4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe
| MD5 | 10233ca6892fdece6d57faafb641d3f5 |
| SHA1 | fb47ce1f3acdf1dc6730f102c028532bac1af375 |
| SHA256 | 909a907a61c37121599fd2997b7b234c68f97c757b6061e86bb7d4ae4770c478 |
| SHA512 | a4aec83f905fb9deb820604a2400fa77eff6aadb3cdaeeb18671ce3110e4a9c3514f10b84474ea1e158a42f12695bccfa867a41a2f262f5deac96222890c56d2 |
memory/4584-15-0x0000000000690000-0x0000000000790000-memory.dmp
memory/4584-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4584-16-0x0000000000510000-0x000000000053D000-memory.dmp
memory/4584-18-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/4584-19-0x0000000002570000-0x000000000258A000-memory.dmp
memory/4584-20-0x0000000004C40000-0x00000000051E4000-memory.dmp
memory/4584-21-0x0000000002700000-0x0000000002718000-memory.dmp
memory/4584-22-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-37-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-49-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-47-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-45-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-43-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-41-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-39-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-35-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-33-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-31-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-29-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-27-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-25-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-23-0x0000000002700000-0x0000000002712000-memory.dmp
memory/4584-50-0x0000000000690000-0x0000000000790000-memory.dmp
memory/4584-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4584-54-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/4584-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe
| MD5 | eb9ab35b51431ef860e2384079699bd4 |
| SHA1 | 4b800bdd763b217fb33ba6237cd1355e2b8a6625 |
| SHA256 | c5c643d024ca73e992b1ead9751cf7b5f28a584dfc6194d7a52a8036b49eed44 |
| SHA512 | 53332183bdda5384ddc38e315260af6306da89f9436910b4ecb4c3f4017c10a4ee25631d223de7e3dca2d950a2577f3dea9eaf258575f9566964845aecaf679e |
memory/4712-60-0x00000000023C0000-0x0000000002406000-memory.dmp
memory/4712-61-0x0000000004AD0000-0x0000000004B14000-memory.dmp
memory/4712-65-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-63-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-62-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-79-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-95-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-93-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-91-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-87-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-85-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-84-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-77-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-75-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-73-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-72-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-69-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-68-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-89-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-81-0x0000000004AD0000-0x0000000004B0F000-memory.dmp
memory/4712-968-0x0000000005230000-0x0000000005848000-memory.dmp
memory/4712-969-0x00000000058D0000-0x00000000059DA000-memory.dmp
memory/4712-970-0x0000000005A10000-0x0000000005A22000-memory.dmp
memory/4712-971-0x0000000005A30000-0x0000000005A6C000-memory.dmp
memory/4712-972-0x0000000005B80000-0x0000000005BCC000-memory.dmp