Analysis Overview
SHA256
189cf43dc7c4f36a23108a7283c8abf0200476e5040f5705b22996c11191d945
Threat Level: Known bad
The file 189cf43dc7c4f36a23108a7283c8abf0200476e5040f5705b22996c11191d945 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer family
RedLine
Healer
Redline family
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 02:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 02:40
Reported
2024-11-07 02:42
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe
"C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe
| MD5 | 41288373432a73184167966c46465d3e |
| SHA1 | 77e34bdafa177fa7e9c148b8b44ce450e91c3324 |
| SHA256 | 20248e9f11ba2792db80b181086fb94ebbdea0b314a60be93e547e42657010a7 |
| SHA512 | b22ecf771ed103f3b4a4ea3cf31ae99fb8ec1237bc818131726db20bc235649207120e1e51acb5cd76bb77fff4416568cba1958947ded2f5727c93d0acff0937 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe
| MD5 | 803bead51b64f1d47818c3c8de41a52a |
| SHA1 | 2b6542fd9001056ccf1a702cfdf32fc536ba3589 |
| SHA256 | e153e41f67febc814a63aba356167861400b378a4782faafc8845fbe57c08a34 |
| SHA512 | e3382318084a7c1ed2cded1eeefa3a4b98929a410c59794fd092a1114145381d610d95e65b9c3a892eb2b3b4f643ad314fa425096448c1f41f58b49a5f3ab0f4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe
| MD5 | 59d1dd6f1027ec76e8f60ebfb87bb2c3 |
| SHA1 | 20720894881ad763c165ced843d3e18920458ccb |
| SHA256 | 8877e6541a946e3ae5966211f09de3913bc66c399e046b0057baff16b3d86b60 |
| SHA512 | 76ea5ddb13cfdd96c98c1aef65600ac4ef6f17a6b8ad06d366dc052faa2a61362d97f5717281baea832adac1f2f5b0f3344ffe5999b0c70e1cad760935f190a4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe
| MD5 | 04f3c63ce81835b2054683bcfc3dde69 |
| SHA1 | cd1f5d0a2a905ac46c556dd1157ae6bfddfdae4e |
| SHA256 | 7539469ced6e51a6dad4db72bc209948028e863dbda0a33910f700056964a6f9 |
| SHA512 | 0593f081909f7fd614dc073404527c64341929a90bf93fbdef9758100d99260eb94c8e521e70cae42cd9ee0921e93860588ab8e8a9f88c3cb819567f215277ad |
memory/4460-28-0x0000000000550000-0x000000000055A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe
| MD5 | 89043a2a2ea21c3bd2a007ecd51c585f |
| SHA1 | 8a69615923db088e06a0ea0e6b9c0c910275573d |
| SHA256 | f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf |
| SHA512 | 206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd |
memory/1784-34-0x0000000004BE0000-0x0000000004C26000-memory.dmp
memory/1784-35-0x00000000072F0000-0x0000000007894000-memory.dmp
memory/1784-36-0x0000000007190000-0x00000000071D4000-memory.dmp
memory/1784-50-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-52-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-98-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-96-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-94-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-92-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-90-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-88-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-84-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-82-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-80-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-78-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-76-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-74-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-72-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-70-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-68-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-66-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-64-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-62-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-60-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-58-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-56-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-48-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-100-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-46-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-44-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-42-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-86-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-40-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-38-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-54-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-37-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/1784-943-0x00000000078A0000-0x0000000007EB8000-memory.dmp
memory/1784-944-0x0000000007EC0000-0x0000000007FCA000-memory.dmp
memory/1784-945-0x0000000007FD0000-0x0000000007FE2000-memory.dmp
memory/1784-946-0x0000000007FF0000-0x000000000802C000-memory.dmp
memory/1784-947-0x0000000008140000-0x000000000818C000-memory.dmp