Analysis Overview
SHA256
f24fd1aa0ef5d941b90d779fb2fde19e3f9893021603df3eb602849ad5810c9b
Threat Level: Known bad
The file f24fd1aa0ef5d941b90d779fb2fde19e3f9893021603df3eb602849ad5810c9b was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
Detects Healer an antivirus disabler dropper
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 00:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 00:22
Reported
2024-11-07 00:25
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe
"C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe
| MD5 | 6460267f9295a18d677fb2f5b558ed7c |
| SHA1 | 78eb4c5f1043b3b8eae80fb73d3083c75d09516c |
| SHA256 | ccc74947c79a707e67452eb08f0a567018fc9b72438133808b40b5668e5885a5 |
| SHA512 | a877806aa102cff46a3bf0c18a3841f288aa6087d18ed3f03e0306bc9f89b0ea6d644c60f463528c8fef81a22e0dad6300f7db2ab348a151d26745bb024db43d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe
| MD5 | 6e639fb4dd2b20f2b3e46a0d9930fdf6 |
| SHA1 | 232ced981959a4cfb0d639ff0f94e6ce2c599ca4 |
| SHA256 | 82e358692e5f29f1fab7f61741eebb77c29134310c06c9b001c72ec58c25c937 |
| SHA512 | 75dda6cbf4fd73520a5c79fc532c5fa4931d19338c13527b7ab177e16ee682961b806a2e40ce2eb1e72b0276d9f698dc46211734942d4712c9dee2e5deddd9dc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe
| MD5 | 122607517a0ee805086508e65ef2c3a7 |
| SHA1 | dedacf4c77a5655f0da38f0ca2ffbc9ca1429846 |
| SHA256 | 7d7ff7365a006eebdab189c3c4d17e67c2080b27f4ba8d6eecb553fbcf27b57b |
| SHA512 | ee02dcf38ee2ed58844e7442bf254838a843a3eeeea7c9dce6b80be464691ae9b59198cd8d0002aa6cd8878bd6ed330010a95ee4093df4ae82f3e29b2a1ec9cf |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe
| MD5 | 2d573d483075cfa25385b0cc73af87bd |
| SHA1 | 0c68fc1baa8e2b15c72ed4d4a6e4a6d618318196 |
| SHA256 | 9b742919671663d980f9471d1f2b2891602d919182ae1909d4f00dba5e0f3ed1 |
| SHA512 | 158f2b046df4cb29a4d17c4454cf73c4bd12ba5654d4bffe21813abba5b39e3bb12929b9d1bc78dd812c786129b42bbb559f8a19d444266a56be744c0d7bbe58 |
memory/1360-28-0x0000000000A10000-0x0000000000A1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe
| MD5 | b0b94e2c2b7fcb269bf95b62cc9b065b |
| SHA1 | 538d87b1ccae12796ed59ee2b407a5e19fce17ed |
| SHA256 | b99491d4afd199d95ff54c83be16a8e91f7a25299ac3b592e0e563b7798dd578 |
| SHA512 | ee8c0a033e9decaae0f9de9e67907feca5de84f3ef300e34e8de8871bf37fe1d21b4e1922c1989cece049e988aa2c1410953a1951277466daf572723e4c42b25 |
memory/4060-34-0x00000000049D0000-0x0000000004A16000-memory.dmp
memory/4060-35-0x0000000007220000-0x00000000077C4000-memory.dmp
memory/4060-36-0x0000000004D70000-0x0000000004DB4000-memory.dmp
memory/4060-44-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-46-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-66-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-70-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-100-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-98-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-96-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-94-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-92-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-90-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-88-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-86-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-84-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-82-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-80-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-78-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-76-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-74-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-72-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-68-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-64-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-62-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-60-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-58-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-56-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-54-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-52-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-50-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-48-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-42-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-40-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-38-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-37-0x0000000004D70000-0x0000000004DAF000-memory.dmp
memory/4060-943-0x00000000077E0000-0x0000000007DF8000-memory.dmp
memory/4060-944-0x0000000007E80000-0x0000000007F8A000-memory.dmp
memory/4060-945-0x0000000007FC0000-0x0000000007FD2000-memory.dmp
memory/4060-946-0x0000000007FE0000-0x000000000801C000-memory.dmp
memory/4060-948-0x0000000008130000-0x000000000817C000-memory.dmp