Analysis Overview
SHA256
20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028
Threat Level: Known bad
The file 20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
RedLine
Redline family
Modifies Windows Defender Real-time Protection settings
Healer family
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:39
Reported
2024-11-10 03:42
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe
"C:\Users\Admin\AppData\Local\Temp\20a054954b7377d9e5aa7fb07810fdaa3411ecbf9cd55a109a3f39e3b83c2028.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3740 -ip 3740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336197.exe
| MD5 | 5aa5186a9a84fd59c72aa9ef4fcb5b50 |
| SHA1 | 024460137d321822fe4adef251828b61f60f0e6c |
| SHA256 | 52d0b9c1167efad4283c5a9e47f17466b95c225ccb563672893c70661f9a5728 |
| SHA512 | dbf8db5d73b719a6efc2593cd017b6b24349a66b7f7f86588d3793fd251495c0af3c8975b97095c7b223ba25cd2a09257a6fdc87d3f16269a980298532af37f6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0056.exe
| MD5 | 364988cc8cdecba06453bf038ce2771f |
| SHA1 | a9c63a8954c4013d82eb3341ca51320f265792ad |
| SHA256 | a20ede3ba76f08ed4ba1cb26aeb6b2e9c287521c9615b320062a70d20abbace8 |
| SHA512 | f8c11b48ae9734a19e9fcf34dcfbe509e43991df7966e1517f475034582dcc3f8f35fcc05eeadbbf999e5dc4c5a5e678c1a1e219c811d6d76cf5d4fe5da04ff7 |
memory/3740-15-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/3740-16-0x0000000002E00000-0x0000000002E2D000-memory.dmp
memory/3740-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3740-18-0x0000000004920000-0x000000000493A000-memory.dmp
memory/3740-19-0x0000000007180000-0x0000000007724000-memory.dmp
memory/3740-20-0x0000000004C70000-0x0000000004C88000-memory.dmp
memory/3740-31-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-46-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-45-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-42-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-40-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-38-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-36-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-34-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-33-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-28-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-26-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-24-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-22-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-48-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-21-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/3740-49-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/3740-50-0x0000000002E00000-0x0000000002E2D000-memory.dmp
memory/3740-51-0x0000000000400000-0x0000000002B78000-memory.dmp
memory/3740-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1012.exe
| MD5 | 2ef53d7cd476c1f62371e0472efd499a |
| SHA1 | 70c0f2a04a61becacda3398137017476946f3ace |
| SHA256 | 385344ba7ee9f9c82cccac5351b2ecf9ffcb170b449f2941064e8ff4d3340ebd |
| SHA512 | 7f7c3749edc0aaaadf726f5e3bfced67e0292ec468cd453b2f08567ec0a018cd5378c7a7ee4cd48e2f2b75107cd1fb27d282d8b60f5b70f202b9dbf0589ba89b |
memory/3740-53-0x0000000000400000-0x0000000002B78000-memory.dmp
memory/2896-59-0x0000000004BA0000-0x0000000004BE6000-memory.dmp
memory/2896-60-0x00000000077D0000-0x0000000007814000-memory.dmp
memory/2896-94-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-92-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-90-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-88-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-86-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-84-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-82-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-80-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-78-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-76-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-74-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-72-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-70-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-68-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-66-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-64-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-62-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-61-0x00000000077D0000-0x000000000780F000-memory.dmp
memory/2896-967-0x0000000007810000-0x0000000007E28000-memory.dmp
memory/2896-968-0x0000000007E70000-0x0000000007F7A000-memory.dmp
memory/2896-969-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/2896-970-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/2896-971-0x0000000008110000-0x000000000815C000-memory.dmp