Analysis Overview
SHA256
14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65
Threat Level: Known bad
The file 14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
RedLine payload
RedLine
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:51
Reported
2024-11-10 00:54
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe
"C:\Users\Admin\AppData\Local\Temp\14e1301d16e60f7c7a71e6d5a064f62baf14da25447af4801ef5b1b2f93b0f65.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417053.exe
| MD5 | 020d6fd5b61a106381825fa475443248 |
| SHA1 | dfcd18bf71413dbc92a0a0fc613b0c3e669c8541 |
| SHA256 | 03d139af50212ba23b2a4efd54732ab55ab02ea06dc821aa1caea07c7206490a |
| SHA512 | 809d8e89628a01360a4166c396d826383fe0b0995c2e88d621027dcc55327f9058ad0bc88e096d346d87233e911485dadbe3033204e23d2ad452b574a51cac9a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451791.exe
| MD5 | 10e4c3432efaf08c0d45d6d557145dfc |
| SHA1 | 2a833d82019e8b0ff25338c1df0cf5c72148db2a |
| SHA256 | 8aa209302f8c3e72d527177ff4b58100767e7018c960bc0d844611f13c71b162 |
| SHA512 | 30a2951bb45bb880a5d2a15ad9b6e172d7880a54d561f69f0a7f72a906282a71881e5f8c4f0b3db1f261f086ca9b4c7313cf36e84527e4a604535b3bc88b83e4 |
memory/4464-15-0x0000000002D00000-0x0000000002E00000-memory.dmp
memory/4464-16-0x0000000002BB0000-0x0000000002BDD000-memory.dmp
memory/4464-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4464-18-0x0000000004800000-0x000000000481A000-memory.dmp
memory/4464-19-0x0000000007540000-0x0000000007AE4000-memory.dmp
memory/4464-20-0x00000000048E0000-0x00000000048F8000-memory.dmp
memory/4464-32-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-48-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-46-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-44-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-42-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-40-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-38-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-37-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-34-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-30-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-28-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-26-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-24-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-22-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-21-0x00000000048E0000-0x00000000048F2000-memory.dmp
memory/4464-49-0x0000000002D00000-0x0000000002E00000-memory.dmp
memory/4464-51-0x0000000002BB0000-0x0000000002BDD000-memory.dmp
memory/4464-50-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4464-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4464-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu520450.exe
| MD5 | 4bfb46ed0b4719461401d9f022823588 |
| SHA1 | 5922f8e111fe3c94533bd6b19ba31a26af0412c6 |
| SHA256 | 0630c9484d34c621bcd1e5e96a8acb099dba138bee7da681c708877d2e71727a |
| SHA512 | 2b9f03dfdb5ee7a1a46192d40bc369deac05efa6ca76effee5cc625fa5db23871ead4e5f1df84e46651dfa0aeb50cdaeec5d1d7aa505e378094a2cbb1e748cf0 |
memory/4464-54-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/3268-60-0x0000000004970000-0x00000000049AC000-memory.dmp
memory/3268-61-0x0000000004A10000-0x0000000004A4A000-memory.dmp
memory/3268-73-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-77-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-93-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-91-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-89-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-87-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-85-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-83-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-81-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-79-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-75-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-71-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-69-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-67-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-95-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-65-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-63-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-62-0x0000000004A10000-0x0000000004A45000-memory.dmp
memory/3268-855-0x0000000004D90000-0x0000000004DA2000-memory.dmp
memory/3268-854-0x0000000009F80000-0x000000000A598000-memory.dmp
memory/3268-856-0x000000000A5A0000-0x000000000A6AA000-memory.dmp
memory/3268-857-0x0000000004DB0000-0x0000000004DEC000-memory.dmp
memory/3268-858-0x0000000002FF0000-0x000000000303C000-memory.dmp