Analysis Overview
SHA256
c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753
Threat Level: Known bad
The file c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
Healer
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:05
Reported
2024-11-13 14:07
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe
"C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4532 -ip 4532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 992
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp | |
| RU | 193.233.20.32:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe
| MD5 | ef89f39ad4846a105411b50c01be86af |
| SHA1 | 520fce06b71635d922166c3ae60fd2c77b3724a6 |
| SHA256 | 2350662762be2ad7f36d066e28efb3493ce732f15585fd63c84ba73db0ad45f6 |
| SHA512 | 57ee6f141cc7ff0175cce35bf3224df319dad6efb8727378b50e9d73647a6534db5e1284488fe308cec5ad24a070d14fc8c883b2471dde01894b0e6d14125e7a |
memory/4532-8-0x0000000002D80000-0x0000000002E80000-memory.dmp
memory/4532-10-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4532-9-0x0000000002CA0000-0x0000000002CCD000-memory.dmp
memory/4532-11-0x0000000002FE0000-0x0000000002FFA000-memory.dmp
memory/4532-12-0x0000000007320000-0x00000000078C4000-memory.dmp
memory/4532-13-0x0000000004CE0000-0x0000000004CF8000-memory.dmp
memory/4532-14-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/4532-42-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-20-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-18-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-16-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-15-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-40-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-38-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-36-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-35-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-32-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-30-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-28-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-26-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-24-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-22-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4532-43-0x0000000002D80000-0x0000000002E80000-memory.dmp
memory/4532-44-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4532-48-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4532-49-0x0000000000400000-0x0000000002B7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe
| MD5 | d10d4cf82277f0745666ba16c8a82e99 |
| SHA1 | 755ea12bba3a621f30a104e9abc7d0c4076b3b70 |
| SHA256 | e46360448b26820ce9bf60d6daa4e1ca5643dec17f60232c888b1a0d5dc2f73f |
| SHA512 | d7c71e1e2f60c57a628b1d515e8c687780c8581bf87f65a9fa1e959f2fb02c904ae7cf10d60cfd305826ed9bd2c5cffa140aa58fdab1098aba1accdbfd05d092 |
memory/3764-54-0x00000000070F0000-0x0000000007136000-memory.dmp
memory/3764-55-0x00000000071B0000-0x00000000071F4000-memory.dmp
memory/3764-87-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-89-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-85-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-83-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-81-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-79-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-77-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-962-0x0000000007890000-0x0000000007EA8000-memory.dmp
memory/3764-964-0x00000000072B0000-0x00000000072C2000-memory.dmp
memory/3764-963-0x0000000007EB0000-0x0000000007FBA000-memory.dmp
memory/3764-75-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-73-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-71-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-965-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/3764-69-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-67-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-63-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-61-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-966-0x0000000008110000-0x000000000815C000-memory.dmp
memory/3764-65-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-59-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-57-0x00000000071B0000-0x00000000071EF000-memory.dmp
memory/3764-56-0x00000000071B0000-0x00000000071EF000-memory.dmp