Analysis Overview
SHA256
d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251
Threat Level: Known bad
The file d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Detects Healer an antivirus disabler dropper
Redline family
RedLine payload
Modifies Windows Defender Real-time Protection settings
RedLine
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:47
Reported
2024-11-04 13:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe
"C:\Users\Admin\AppData\Local\Temp\d507932171d6b8a7e70445521bf7e44e8ec8653a8d07a62ef39f960dfd099251.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCC3448Lc.exe
| MD5 | 124cda411475130c5d8315b3fd746216 |
| SHA1 | f04f0da227843a2aafb23f2bb773f491b6aec4a4 |
| SHA256 | 071dda77c990e0592d956e5a711e9beedf2d5e4be8ca14ad2e2edb86d08987be |
| SHA512 | 7c53859776fdc79c71e8f79bade36beb7f4d14ad475b2538b7a80a4eefa9bc8ca474d09878d6fea6187bd25c0abca80dfab693dd7f692b96e093b100a4d9964f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptJO0302ci.exe
| MD5 | fe312e028a23f008211091023b477d93 |
| SHA1 | cd4edad0ee1cf89c22d6e3a8f0d3383d51204d61 |
| SHA256 | ab8f5867c2385c6c8008b7eb8bc97074698052d517106bb038f0aa5de3233528 |
| SHA512 | 0f0231742957a6bf69920588a7815f5e3abac1958dd2fadd78ec8d4b341295a3c17d5675392acc68d81da6f313af3af565f66ff242b2af54190ddfc92f1f6b75 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptsc0096oD.exe
| MD5 | 2bd192dc9f3fd8ed5b0269cb355a2974 |
| SHA1 | eeac1c79a1fd032be0bbc7815112fd1cb3a24e38 |
| SHA256 | fb04c007615bfc7ba6377ca01b545d9d6fae3cca5b3d98d32f83fed0129f4174 |
| SHA512 | 1f61700737e8e0955dcc97536f4a061e6f9a2e43b54c5bb846b4e6da8465955c9a0e21f6b3d105b6d7f37bc523359bbe84341d2e89e7895676a9436c252adfa6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptkm2907mL.exe
| MD5 | 6ed4f139aab2d34d03ca7fffeff69d87 |
| SHA1 | 96bf6c07f99b3a063f32c8dade2b690be83de6c8 |
| SHA256 | 880b8295b2d9e15ad979558336db6ce4101e51624ad05366c98dc138a49c303f |
| SHA512 | 9a12df0e08ba40688f38b25076620f3db6d5b542149eb1489b314b74ff9633b7fe4d920a198a4247b7ca17707b9d226c1c46c9141820950d441bd3f01cf34a69 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptbw4907xk.exe
| MD5 | bc2394e563e1bdeeaa722b90a53d4b7a |
| SHA1 | f6aecded7c472a8fa452698f98a7b935aa98c93d |
| SHA256 | e6d56d8dd9dbde443de2914ba32a9e9acb61600425f20cb5984deb8f67d29234 |
| SHA512 | d9e1194bf2fdedeb43e3f950fdc8364e4bd36788f822b86f9c66afc5678965eb0e57cfd05bbfc3eb422c9fcc6b5073e99380a3a87efc891adaa8d6f342254082 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beTR25qB16.exe
| MD5 | 6d89124f304d88ce8cee9c55754c0991 |
| SHA1 | 6f4d7b6cfa346e7f5e8773f64a00b2dbb9bb8e83 |
| SHA256 | 0960145b5afa396a1c6f17cbef2d43fb2b9251a9cbf2467df6a28b4ea741aace |
| SHA512 | 79e0ae3fead104fd54bd7b1bf9a08ddd9d4df6a21ca4025b7ccb3446baf988ffb9ac55c4114381e690b3b8e780245c50748246401fddb87bf4910e66a08c863e |
memory/212-42-0x0000000000D00000-0x0000000000D0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cumW18HT90.exe
| MD5 | 1c5a86f75232313703fab93a198cfae7 |
| SHA1 | ecf2d10a917811db5f5da1e29c929ab6a2866a0e |
| SHA256 | 6c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71 |
| SHA512 | fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f |
memory/1528-48-0x0000000002530000-0x0000000002576000-memory.dmp
memory/1528-49-0x0000000004C60000-0x0000000005204000-memory.dmp
memory/1528-50-0x0000000004BB0000-0x0000000004BF4000-memory.dmp
memory/1528-62-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-65-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-112-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-110-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-108-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-106-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-104-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-102-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-98-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-96-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-94-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-92-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-90-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-86-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-84-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-82-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-80-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-78-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-74-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-72-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-70-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-69-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-66-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-60-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-58-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-114-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-100-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-88-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-76-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-56-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-54-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-52-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-51-0x0000000004BB0000-0x0000000004BEE000-memory.dmp
memory/1528-957-0x0000000005210000-0x0000000005828000-memory.dmp
memory/1528-958-0x0000000005860000-0x000000000596A000-memory.dmp
memory/1528-959-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/1528-960-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/1528-961-0x0000000005B10000-0x0000000005B5C000-memory.dmp