Analysis Overview
SHA256
4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3
Threat Level: Known bad
The file 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3 was found to be: Known bad.
Malicious Activity Summary
Healer
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 02:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 02:22
Reported
2024-11-07 02:25
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe
"C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe
| MD5 | cda0ba2f46109dff4625c138815333e0 |
| SHA1 | d53b9d3b75f951209ae60dadb31e169ecb1cc88f |
| SHA256 | 19cef52d8912f92c2e70466d0239eb8d1ac2de2366a64228bfc459d596a88d9b |
| SHA512 | bbae5af7f5bb82cdb2279f05b276cdce11fcdad1635e6020753ffac66fb84343a7eef5b39cdc166cabfbfd7f8213d0a2017a70101785936c252559f7ad452ca1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe
| MD5 | 4acde0c98110d81a16cc4142ad0768bb |
| SHA1 | 0e8d37d14a1807ff1d7b8919f55fb2f991909f17 |
| SHA256 | 00a08145060b94c2bbcdce4a7991d80f44ad1beb189ade90c28eae356189e54c |
| SHA512 | ce287ae4a6fb8128156c5b2754e8168d36c58359aa7112fda2ccd8f7bb3dc3d4a0783a0b868926ff4df80c817806318b0efe5603326a37f14ca857096ee98545 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe
| MD5 | ee2972dc9ac93157ba79e2d60eedcf4b |
| SHA1 | 66bba59a4be4d7746434d03d941da65bdc4188b1 |
| SHA256 | 37648268773e03f8f89e732342c31b8c84d32d13ed2017cdcfed22e14448b607 |
| SHA512 | ecd18c626899e889c34981cb2840d754a9b5ed2868bedcdc083015ac0029dbefb2d95a481cd9afb2ac4983a7a707e126477ed70bdd0336ce032a77f7ea801462 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe
| MD5 | 3f743544178d1d7086fb775f43dcfeeb |
| SHA1 | 7b9c026e578b764614a1bbf3784d24f1598db442 |
| SHA256 | d08e033389f404907756d12db74080967c5b64473fbef8a309bc1d760f58e16c |
| SHA512 | 66db004f3c60a8cd093f2df6c71e0248a78645022b1d96aa47f3658ebd9bd26b528339942b9a322ac1529d80f8eae1c4a416a9ae03323e030271239c1a284eaa |
memory/60-28-0x0000000000DD0000-0x0000000000DDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe
| MD5 | b907779ac03be51e3fe55c545e16195d |
| SHA1 | d39a6ffa3af1153cb920e4fd1a9bd38b99c1f37b |
| SHA256 | 49c804cc4ef692834971fe93b96777381c9b247ce2f1d49b34b39e01b05d610c |
| SHA512 | c72a9fbaad8653f9f2f065c196a8abf5dcf540dd5f52514df72b9668220849d8921cd6b3c9441386bcfbc27e507b578bcf59b31d802279d5141d1c0bcf3b78b7 |
memory/2444-34-0x00000000071B0000-0x00000000071F6000-memory.dmp
memory/2444-35-0x00000000072E0000-0x0000000007884000-memory.dmp
memory/2444-36-0x0000000007230000-0x0000000007274000-memory.dmp
memory/2444-37-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-50-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-101-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-98-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-94-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-92-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-90-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-88-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-86-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-84-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-80-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-943-0x0000000007890000-0x0000000007EA8000-memory.dmp
memory/2444-944-0x0000000007EB0000-0x0000000007FBA000-memory.dmp
memory/2444-78-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-76-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-945-0x0000000007FD0000-0x0000000007FE2000-memory.dmp
memory/2444-74-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-72-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-946-0x0000000007FF0000-0x000000000802C000-memory.dmp
memory/2444-70-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-68-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-64-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-62-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-947-0x0000000008140000-0x000000000818C000-memory.dmp
memory/2444-60-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-58-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-56-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-54-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-52-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-48-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-46-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-44-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-96-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-42-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-40-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-82-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-38-0x0000000007230000-0x000000000726F000-memory.dmp
memory/2444-66-0x0000000007230000-0x000000000726F000-memory.dmp