Analysis Overview
SHA256
7ee97b1481c8b2daac74093e13751cadcbac12011cc183dbc811767791ad2de9
Threat Level: Known bad
The file 7ee97b1481c8b2daac74093e13751cadcbac12011cc183dbc811767791ad2de9 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Healer
Healer family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:13
Reported
2024-11-09 19:15
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410603.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3859.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7ee97b1481c8b2daac74093e13751cadcbac12011cc183dbc811767791ad2de9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410603.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ee97b1481c8b2daac74093e13751cadcbac12011cc183dbc811767791ad2de9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410603.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3859.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3859.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ee97b1481c8b2daac74093e13751cadcbac12011cc183dbc811767791ad2de9.exe
"C:\Users\Admin\AppData\Local\Temp\7ee97b1481c8b2daac74093e13751cadcbac12011cc183dbc811767791ad2de9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410603.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410603.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3536 -ip 3536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3859.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3859.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410603.exe
| MD5 | eb56be36d5371b3e8f1ad8070e0725e6 |
| SHA1 | 1d954ba7057a19720cbb7ca38d24007678908cc3 |
| SHA256 | f223546304069b6db43f0af332fb9d56d7d7c0b9f7fd7f68f36352496a4b9d49 |
| SHA512 | 8d143260e2353d05af11753a67ce548ff0a501f9b35a78b520d52b40ee89c338c2ff88c0c7e43ae3d30ac87fee6481cce558b0d386ac2d33e3de54c47171794d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9263.exe
| MD5 | acc1f25568449d3da663b7c6d8325763 |
| SHA1 | 0018401c622e92cff8da6aa584323db83e101619 |
| SHA256 | 01d191cd6485cf846e8cfca373748a3c2de815022806dbe6c3b173ec77be8158 |
| SHA512 | e4c376f297e88e2f8f2c7c7e71d6a0eaf701bb301e062de3cee4c235e7ca2ebe546244df3deb13074d9e5bb154a58cf341ad556e02f02b8d7ec005c44b75ae97 |
memory/3536-15-0x00000000009F0000-0x0000000000AF0000-memory.dmp
memory/3536-16-0x0000000000980000-0x00000000009AD000-memory.dmp
memory/3536-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3536-18-0x0000000000400000-0x0000000000813000-memory.dmp
memory/3536-19-0x00000000025B0000-0x00000000025CA000-memory.dmp
memory/3536-20-0x0000000004FA0000-0x0000000005544000-memory.dmp
memory/3536-21-0x00000000026A0000-0x00000000026B8000-memory.dmp
memory/3536-49-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-47-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-45-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-43-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-41-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-39-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-37-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-35-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-33-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-31-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-29-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-27-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-25-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-23-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-22-0x00000000026A0000-0x00000000026B2000-memory.dmp
memory/3536-50-0x00000000009F0000-0x0000000000AF0000-memory.dmp
memory/3536-51-0x0000000000980000-0x00000000009AD000-memory.dmp
memory/3536-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3536-56-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3536-55-0x0000000000400000-0x0000000000813000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3859.exe
| MD5 | 712c01aec82c89fba53f3c6adca700d2 |
| SHA1 | ec567bf25082862d543ac1a6bec27a6f07444ba1 |
| SHA256 | 47876ffd0708e0411dd3beff7af5c9c6475c61d378972d9d4ac95db941251e3e |
| SHA512 | 3e3df8c11b8fe1d78c20a50b309312522f5dbdc4cf247c448598c1866c2139fddfbb11032e0a51d06cacea68fb4ad66a586b851f6b34a0be748b8c7ea68d55d0 |
memory/780-61-0x0000000002600000-0x0000000002646000-memory.dmp
memory/780-62-0x0000000004E30000-0x0000000004E74000-memory.dmp
memory/780-72-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-82-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-96-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-95-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-92-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-90-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-88-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-86-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-84-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-80-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-78-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-76-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-74-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-70-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-68-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-66-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-64-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-63-0x0000000004E30000-0x0000000004E6F000-memory.dmp
memory/780-969-0x00000000054F0000-0x0000000005B08000-memory.dmp
memory/780-970-0x0000000005B10000-0x0000000005C1A000-memory.dmp
memory/780-971-0x0000000005C40000-0x0000000005C52000-memory.dmp
memory/780-972-0x0000000005CA0000-0x0000000005CDC000-memory.dmp
memory/780-973-0x0000000005DE0000-0x0000000005E2C000-memory.dmp