Analysis Overview
SHA256
49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb
Threat Level: Known bad
The file 49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
Healer family
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:54
Reported
2024-11-10 02:56
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe
"C:\Users\Admin\AppData\Local\Temp\49367d34da6a758b3923024a3003715bb97c0969f72e2b6216d2f1a563b394bb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2000 -ip 2000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1020
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073785.exe
| MD5 | ab4edda59b5086e6b547f549f11ae7b4 |
| SHA1 | 9a9c3f209452f275a6a7bd4980351801e51b01ff |
| SHA256 | 58fd87daed0299201dddc06457a5792b26feb7fcb9ef3be2a28d74e74fc1e700 |
| SHA512 | 0dcb6cfb444fe0ca1ff66fcf031f233ea037b44c5ca6e5628283b1f061d8e71d59a80da04a393fd4f15896d6d2676ade4ed585cc83ced7f2f7049cc27263bc60 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9630.exe
| MD5 | 8233cf33c5e5e324587286544d1768de |
| SHA1 | 3cd03396c05f909495e3a3adb4f8c0639e14939c |
| SHA256 | d70f8844150d065cda9c5ed553925968f3ca4636d6696e92273dc5473cf72768 |
| SHA512 | 9985a129760d160ef9530ed9ebb220e910f675e09e0e5253b81d9a6d421a8892ae7b1fdb3037d27a42d08ea7a334a774beabc382fb20010183af4ad6b6a27525 |
memory/2000-15-0x0000000002C60000-0x0000000002D60000-memory.dmp
memory/2000-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2000-17-0x0000000004AB0000-0x0000000004ACA000-memory.dmp
memory/2000-18-0x0000000007250000-0x00000000077F4000-memory.dmp
memory/2000-19-0x0000000000400000-0x0000000002B84000-memory.dmp
memory/2000-20-0x0000000007120000-0x0000000007138000-memory.dmp
memory/2000-24-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-48-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-46-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-44-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-42-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-40-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-38-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-36-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-34-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-32-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-30-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-29-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-26-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-21-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-22-0x0000000007120000-0x0000000007132000-memory.dmp
memory/2000-49-0x0000000002C60000-0x0000000002D60000-memory.dmp
memory/2000-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2000-50-0x0000000000400000-0x0000000002B84000-memory.dmp
memory/2000-53-0x0000000000400000-0x0000000002B84000-memory.dmp
memory/2000-54-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0718.exe
| MD5 | 61f34512991d2204f5b8c477131644e1 |
| SHA1 | 2e6e3798ee5bca15f3524deed4cdd23e9d16252c |
| SHA256 | 37b0370c73e58a9104cefa61cbcee455cc49777abf2e836d68bf5dc848fd2b0f |
| SHA512 | 7c6fbde0543d5c358b49e3ce39fbe365b0aa3b25cebeaca9487565fad0a282418a355cb285f2fee58690794522dab29498561fad7711f88bdb126efb87821c1b |
memory/1132-59-0x0000000004A00000-0x0000000004A46000-memory.dmp
memory/1132-60-0x00000000077B0000-0x00000000077F4000-memory.dmp
memory/1132-88-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-61-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-94-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-92-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-90-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-86-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-84-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-82-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-80-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-78-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-76-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-74-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-72-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-70-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-68-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-66-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-64-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-62-0x00000000077B0000-0x00000000077EF000-memory.dmp
memory/1132-967-0x00000000077F0000-0x0000000007E08000-memory.dmp
memory/1132-968-0x0000000007E70000-0x0000000007F7A000-memory.dmp
memory/1132-969-0x0000000007FB0000-0x0000000007FC2000-memory.dmp
memory/1132-970-0x0000000007FD0000-0x000000000800C000-memory.dmp
memory/1132-971-0x0000000008120000-0x000000000816C000-memory.dmp