Analysis Overview
SHA256
0be1ae324b30c6fab509468df5b31d7e844d89cacd141afc98e138b5ac0489df
Threat Level: Known bad
The file 0be1ae324b30c6fab509468df5b31d7e844d89cacd141afc98e138b5ac0489df was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
Healer family
RedLine
Redline family
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:09
Reported
2024-11-09 05:12
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853084.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9657.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0be1ae324b30c6fab509468df5b31d7e844d89cacd141afc98e138b5ac0489df.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853084.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0be1ae324b30c6fab509468df5b31d7e844d89cacd141afc98e138b5ac0489df.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853084.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9657.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9657.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0be1ae324b30c6fab509468df5b31d7e844d89cacd141afc98e138b5ac0489df.exe
"C:\Users\Admin\AppData\Local\Temp\0be1ae324b30c6fab509468df5b31d7e844d89cacd141afc98e138b5ac0489df.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853084.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853084.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9657.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un853084.exe
| MD5 | 0fde33fcbef4066bd8757251ba6ce4bb |
| SHA1 | 07fcce5b978231385e6f62809e0fcd72c4429af5 |
| SHA256 | 60b7e4a282aa8267cd42e5739a5964fb5db8aba8996e0605eb52d30dad4c7547 |
| SHA512 | a5665076d69b76123a85e643327d502e349d6b76510840096bb870a0965b5c4b384fb6fca9f2c82c590edefedcb34171395f270794454f9bd6ea7f328ae57648 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4837.exe
| MD5 | c7ea858e9c20564b33d13f687a14ba17 |
| SHA1 | 6d641db62d11d1b91e2ee2aa5bb72c6baeef3ab5 |
| SHA256 | f0b06eadfed4b7f0ddc00097f6abcfdc503e2400a7be746b2bcd644cc05c08b5 |
| SHA512 | 151ad6477ebaef781a1c9f376a24ec63c127b4374af2439c78d1717d0ec69ee9ae2773335051e7e3dced659cf6a891bca2c938ad08f44d56c42d9fc36f27716a |
memory/2424-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2424-15-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/2424-17-0x0000000000400000-0x00000000005A3000-memory.dmp
memory/2424-18-0x0000000000400000-0x00000000005A3000-memory.dmp
memory/2424-19-0x00000000023B0000-0x00000000023CA000-memory.dmp
memory/2424-20-0x0000000004CD0000-0x0000000005274000-memory.dmp
memory/2424-21-0x00000000025F0000-0x0000000002608000-memory.dmp
memory/2424-49-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-47-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-45-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-43-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-42-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-39-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-37-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-36-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-33-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-32-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-29-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-27-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-25-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-23-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-22-0x00000000025F0000-0x0000000002602000-memory.dmp
memory/2424-50-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/2424-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2424-54-0x0000000000400000-0x00000000005A3000-memory.dmp
memory/2424-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9657.exe
| MD5 | 7ea35fd7d65d57df703704375e93915b |
| SHA1 | 5aba06774f6680c309b3d12e3cff00500e1baba4 |
| SHA256 | 5eb997ee46fcddd70dc0ad4324b15d0fdd80afd1fe6085a4126d18dc3412791d |
| SHA512 | c7ef384a0b9400cde798fc8d00c4bd3fd3ede824b51d4d9847f0f8240280f11e47205494937906ad56c50080d3b207fb0f138273585d6c0d9aa9a78e2af7fb66 |
memory/524-60-0x00000000026C0000-0x0000000002706000-memory.dmp
memory/524-61-0x0000000004C00000-0x0000000004C44000-memory.dmp
memory/524-71-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-75-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-95-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-93-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-89-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-87-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-85-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-83-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-81-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-79-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-77-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-73-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-69-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-67-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-91-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-65-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-63-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-62-0x0000000004C00000-0x0000000004C3F000-memory.dmp
memory/524-968-0x0000000005260000-0x0000000005878000-memory.dmp
memory/524-969-0x0000000005890000-0x000000000599A000-memory.dmp
memory/524-970-0x00000000059D0000-0x00000000059E2000-memory.dmp
memory/524-971-0x00000000059F0000-0x0000000005A2C000-memory.dmp
memory/524-972-0x0000000005B40000-0x0000000005B8C000-memory.dmp