Analysis Overview
SHA256
3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6
Threat Level: Known bad
The file 3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Redline family
Healer family
RedLine
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:58
Reported
2024-11-10 01:00
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe
"C:\Users\Admin\AppData\Local\Temp\3e5e80faa6b50bcf6cec47abb50d2bd5b32e0a4f90ff12c4a429b46b7928caf6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un107615.exe
| MD5 | 3c6870a8ae11e65b2dc8ef71f2e2c0ac |
| SHA1 | 02cee9077b44ebc8cdbb49cf67fab762459f5578 |
| SHA256 | 598603509aa88eaccebcb4ecb906dbdcdac272e77d9b82e40a0f32dade03b61c |
| SHA512 | 253a4b8cdb94978e54f149eefc6b359e0f73d7b46b38c3b9369db6fb41f028dd7198afeaac5719e42b3e1bb82175b6ed65a290755bf205e7d80c5b74070b1f3f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2932.exe
| MD5 | e7b73dee8f8f440b73bc16b4a429aaf6 |
| SHA1 | b23b7c70d0bd5c09fe2ea338424537b6ef0ab4ea |
| SHA256 | ecd21b5ede638a357976872f557dedcbaea3e22202caa285d77fae855c26be5b |
| SHA512 | d26f6cc8c6cab368a9775571e220026d91ee5c66b4230ecbf1a881110c0017f1c4a3516d08462e16642f9384fe57adfb3d970f96c7074376a704813cfef5e19d |
memory/5008-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5008-15-0x0000000002E50000-0x0000000002F50000-memory.dmp
memory/5008-17-0x0000000004AE0000-0x0000000004AFA000-memory.dmp
memory/5008-18-0x0000000007130000-0x00000000076D4000-memory.dmp
memory/5008-19-0x0000000004CB0000-0x0000000004CC8000-memory.dmp
memory/5008-20-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5008-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-36-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-34-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-32-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-30-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-29-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-26-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-24-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-22-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-21-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/5008-49-0x0000000002E50000-0x0000000002F50000-memory.dmp
memory/5008-50-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5008-51-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5008-53-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/5008-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3234.exe
| MD5 | e46362b503aabdd187624f53b0e561af |
| SHA1 | 315d07435b43e35bdbc0a5a4cd8ce38c14ecaab0 |
| SHA256 | 3b4c3645575673a7a49baabfd818e833a1bbe58a5fdc3424f869f6b263a2dc6e |
| SHA512 | d4758a01a5a18915cf4dd855f9acd5cb06b214658a87ab90dc7b002eef72c29a80a678fc469e1f145c62e9b0f353c3a543416fafd6d4288488b68d4398b99ead |
memory/1560-60-0x0000000004C70000-0x0000000004CB4000-memory.dmp
memory/1560-59-0x0000000004860000-0x00000000048A6000-memory.dmp
memory/1560-61-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-92-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-70-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-62-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-94-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-90-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-88-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-86-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-84-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-82-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-80-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-78-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-76-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-74-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-72-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-68-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-66-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-64-0x0000000004C70000-0x0000000004CAF000-memory.dmp
memory/1560-967-0x0000000007900000-0x0000000007F18000-memory.dmp
memory/1560-968-0x0000000007F20000-0x000000000802A000-memory.dmp
memory/1560-969-0x00000000072A0000-0x00000000072B2000-memory.dmp
memory/1560-970-0x00000000072C0000-0x00000000072FC000-memory.dmp
memory/1560-971-0x0000000008130000-0x000000000817C000-memory.dmp