Analysis Overview
SHA256
5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825
Threat Level: Known bad
The file 5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825 was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer family
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 02:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 02:18
Reported
2024-11-07 02:20
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe
"C:\Users\Admin\AppData\Local\Temp\5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe
| MD5 | 22c1a9074ddf65496dcc43ad3fcebfbb |
| SHA1 | 764759675da39a12c870931349a14faf033f9f6b |
| SHA256 | 16462b753be529c8725c668393de46d61685291203a55b40c23e88f2e8f2d4bc |
| SHA512 | 5a6816f96c75cbb0b03a2a94ba14e2b6ac246f58c424f05d9cc89b2d5f3ccb29ea674ef9eaabf4d2a20f4b7ba5ddf57194c402fa29ff7e28ea8da936f00282e4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe
| MD5 | 7c3b8c5ceed9b9bff4c64070c979ffa9 |
| SHA1 | aa69d44c6a96763e97f570e743233549625249e2 |
| SHA256 | 1f1b976c4223d577342ed204ceb4e592ebf8840300f817b150530a4e99dc9761 |
| SHA512 | f3b2ce3b39eb4c226c47e571d473e3b7ab8fd392b7b6a3be7c6ea2d3a4e20ab6316d3789439cb744831c63c2860803fde7baed44ed59428573657c1c55caeb66 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe
| MD5 | dae4c26c153780c2d75c6330eec4cd15 |
| SHA1 | 27b1d6575a51a7588ec579a2c7c4a7e4815f94ff |
| SHA256 | d09e5e019bf2e21ccc84d2b0d6fb958992083cb384ff566e46a5ed5bb95caf47 |
| SHA512 | 3c6f6f6669eab9a6101f0308ac987c822c9a2804a0529a19c3d1cde4f0bc6c0156fe09fbfd61f41a6d0a5aae624da61f85ef6747def57dfbaaf141fe96d7b802 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe
| MD5 | b1f79154e59b5f3e06ff6e21f24e7109 |
| SHA1 | af8f64023d822bb68d99911e7a450a23b4a80b93 |
| SHA256 | 71d7e954767d719978ae02ad4a6e75cce4f08e2cc394591528d7247678a523a9 |
| SHA512 | 1ec860288512bba7e493b9f4223de67b287507190fd1fa14f60e3f18e1d21b9a5d1b6a55bdb9b1c963d5305d6718b414be1ed2566b83e65c6e031a581f005fa2 |
memory/3860-28-0x00000000008C0000-0x00000000008CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/2336-34-0x0000000004CC0000-0x0000000004D06000-memory.dmp
memory/2336-35-0x00000000071C0000-0x0000000007764000-memory.dmp
memory/2336-36-0x0000000007770000-0x00000000077B4000-memory.dmp
memory/2336-37-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-98-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-100-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-96-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-94-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-92-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-90-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-86-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-84-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-82-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-80-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-76-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-74-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-72-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-70-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-68-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-64-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-62-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-60-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-56-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-54-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-52-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-50-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-48-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-46-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-44-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-42-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-38-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-88-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-78-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-66-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-58-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-40-0x0000000007770000-0x00000000077AF000-memory.dmp
memory/2336-943-0x00000000077D0000-0x0000000007DE8000-memory.dmp
memory/2336-944-0x0000000007E70000-0x0000000007F7A000-memory.dmp
memory/2336-945-0x0000000007FB0000-0x0000000007FC2000-memory.dmp
memory/2336-946-0x0000000007FD0000-0x000000000800C000-memory.dmp
memory/2336-947-0x0000000008120000-0x000000000816C000-memory.dmp