Analysis Overview
SHA256
5ffb3a7dd459f235f7fc1331c5c732b10b57bf970f7142bbba65de6786646a77
Threat Level: Known bad
The file 5ffb3a7dd459f235f7fc1331c5c732b10b57bf970f7142bbba65de6786646a77 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine payload
Healer family
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:56
Reported
2024-11-04 13:59
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218275.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4923491.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5ffb3a7dd459f235f7fc1331c5c732b10b57bf970f7142bbba65de6786646a77.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218275.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4923491.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ffb3a7dd459f235f7fc1331c5c732b10b57bf970f7142bbba65de6786646a77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218275.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ffb3a7dd459f235f7fc1331c5c732b10b57bf970f7142bbba65de6786646a77.exe
"C:\Users\Admin\AppData\Local\Temp\5ffb3a7dd459f235f7fc1331c5c732b10b57bf970f7142bbba65de6786646a77.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218275.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218275.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4923491.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4923491.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| CY | 217.196.96.102:4132 | tcp | |
| CY | 217.196.96.102:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218275.exe
| MD5 | 828be5381ec3a8cf43519afd4af29c2c |
| SHA1 | fd0e19693140eb2b9bbb0ab2ea7b55fa0ed88c17 |
| SHA256 | 965deff7410252bf6c394fe37164f66fd7b5c9adfc0a086f8d93ff6b4779843c |
| SHA512 | c423a2ce02fc5201d2d3606c42341c88007c5536700d9d379b81b3a9e5ca29e49809705f9b94e38d5652b391c256846dd396124588b0ca2ca9571b2fa953bef1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4085758.exe
| MD5 | c667a7154e653d174e745352a9bdb800 |
| SHA1 | ebae1a65dbc369d892b5413c76213bc6a12cc535 |
| SHA256 | bcbc8a53b1d72356b5f37e9a0427075823a6eb0fd23d0954230dd37e6ff3a6af |
| SHA512 | 0fcef90c417992e06ddb8a5d5aefe4934876c13d52bcffd448d7a80ddad15457fd6538d563c97f96f923885dc8e9eae5acc4f7e565364c03fd825ab822e8c9a3 |
memory/1280-14-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/1280-15-0x00000000021B0000-0x00000000021CA000-memory.dmp
memory/1280-16-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/1280-17-0x0000000004960000-0x0000000004F04000-memory.dmp
memory/1280-18-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/1280-19-0x0000000004F50000-0x0000000004F68000-memory.dmp
memory/1280-20-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/1280-46-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-44-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-48-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-43-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-40-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-38-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-36-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-34-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-32-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-30-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-28-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-26-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-24-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-22-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-21-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/1280-49-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/1280-50-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/1280-52-0x00000000743E0000-0x0000000074B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4923491.exe
| MD5 | 64f7857f15d100efce431521574dd688 |
| SHA1 | 57e34f694fdaba04b3cb5c62adfdd5dae6679e5c |
| SHA256 | d40d5ce9440f2529e3d64fd8a8023e7313cccb311c07f7cd7581cedea4d05659 |
| SHA512 | 25a675e61e0b010edb67fdba6d6b425d2ada1612d85f6cd6ffb173bb002555fd5b1b18de5059c82f58c3cac9a3b21a2fcae9a8440f121c19d272760d85e73235 |
memory/3216-56-0x0000000000CE0000-0x0000000000D0E000-memory.dmp
memory/3216-57-0x0000000002E40000-0x0000000002E46000-memory.dmp
memory/3216-58-0x0000000005C70000-0x0000000006288000-memory.dmp
memory/3216-59-0x0000000005760000-0x000000000586A000-memory.dmp
memory/3216-60-0x0000000005670000-0x0000000005682000-memory.dmp
memory/3216-61-0x00000000056D0000-0x000000000570C000-memory.dmp
memory/3216-62-0x0000000005710000-0x000000000575C000-memory.dmp