Analysis Overview
SHA256
9fd4094014c87896b17d25156683597a8503c7feafebda449c0c2ea57f490436
Threat Level: Known bad
The file 9fd4094014c87896b17d25156683597a8503c7feafebda449c0c2ea57f490436 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Healer
Healer family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:36
Reported
2024-11-10 01:39
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un616120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9fd4094014c87896b17d25156683597a8503c7feafebda449c0c2ea57f490436.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un616120.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9fd4094014c87896b17d25156683597a8503c7feafebda449c0c2ea57f490436.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un616120.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9fd4094014c87896b17d25156683597a8503c7feafebda449c0c2ea57f490436.exe
"C:\Users\Admin\AppData\Local\Temp\9fd4094014c87896b17d25156683597a8503c7feafebda449c0c2ea57f490436.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un616120.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un616120.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3956 -ip 3956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1100
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un616120.exe
| MD5 | f52878111495446cd3739055bec431db |
| SHA1 | 0e893427d0f326eee63577e96bdeaf8f5e581d51 |
| SHA256 | 6fa9dc71fa775c020be04c1a8467c732b5deaf844cb21be47862587611033cfd |
| SHA512 | a93c8001b7ea4c9189b08a69c1cf6eb22a3e0feba35dc6f780c59b4918724215c4d6ac265a93cfe1ca0965219fac9cb9497d7a8d76a552c4c94c5fd6885926f7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4983.exe
| MD5 | aa683200a1a4c65a2db45e97acf09225 |
| SHA1 | 5a8d9cc85048c0e288687884acd5dd5599d40ab5 |
| SHA256 | e204ae43d82f5fd92e00d8b44b236a3736c1bbef2a798827f8faed3c39793848 |
| SHA512 | f6a729c6d30f3dbb9f47f4c6f5949c3709051ba0e7f7848dbe6dd5997dd0bf021c1f20cae38af6c243294c18aaef04b485120779d6703bc20c229d221d7281fd |
memory/3956-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3956-15-0x0000000000B00000-0x0000000000C00000-memory.dmp
memory/3956-17-0x0000000000400000-0x00000000007FE000-memory.dmp
memory/3956-18-0x0000000000400000-0x00000000007FE000-memory.dmp
memory/3956-19-0x0000000002540000-0x000000000255A000-memory.dmp
memory/3956-20-0x0000000005000000-0x00000000055A4000-memory.dmp
memory/3956-21-0x0000000002830000-0x0000000002848000-memory.dmp
memory/3956-43-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-49-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-47-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-45-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-41-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-40-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-37-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-36-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-33-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-31-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-29-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-27-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-25-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-23-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-22-0x0000000002830000-0x0000000002842000-memory.dmp
memory/3956-50-0x0000000000B00000-0x0000000000C00000-memory.dmp
memory/3956-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3956-54-0x0000000000400000-0x00000000007FE000-memory.dmp
memory/3956-55-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe
| MD5 | ff219696ba124a32720b3b7500c480f1 |
| SHA1 | 5cda1e0781e9da860218436a67426c68742a8c79 |
| SHA256 | 8d040dbf2ec8b7d4b1f8f2dd29faed3d4544d74b0bab881215ff0a31f080fee2 |
| SHA512 | 24644e907a40a913ac0ba32fc2832fc5a2fabbf1cb5f706dee14cbafc0bd2c73397fc3ad2f90d7435552de7b9ba0a2645ef260d8f6575f35e1f5605f06efd4cc |
memory/2732-60-0x00000000025F0000-0x0000000002636000-memory.dmp
memory/2732-61-0x0000000004E60000-0x0000000004EA4000-memory.dmp
memory/2732-65-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-63-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-62-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-77-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-95-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-93-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-91-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-89-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-87-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-83-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-81-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-79-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-75-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-73-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-71-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-69-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-67-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-85-0x0000000004E60000-0x0000000004E9F000-memory.dmp
memory/2732-968-0x00000000055D0000-0x0000000005BE8000-memory.dmp
memory/2732-969-0x0000000005C30000-0x0000000005D3A000-memory.dmp
memory/2732-970-0x0000000005D60000-0x0000000005D72000-memory.dmp
memory/2732-971-0x0000000005D80000-0x0000000005DBC000-memory.dmp
memory/2732-972-0x0000000005ED0000-0x0000000005F1C000-memory.dmp