Analysis Overview
SHA256
447626370e05e837d5317db63c546ac8ace2292de1a812b9bdb17979475a3483
Threat Level: Known bad
The file 447626370e05e837d5317db63c546ac8ace2292de1a812b9bdb17979475a3483 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine
Redline family
Detects Healer an antivirus disabler dropper
Healer
RedLine payload
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 09:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 09:22
Reported
2024-11-07 09:25
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXg59sP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sgm29MB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\knF87yc.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\447626370e05e837d5317db63c546ac8ace2292de1a812b9bdb17979475a3483.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXg59sP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sgm29MB.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\447626370e05e837d5317db63c546ac8ace2292de1a812b9bdb17979475a3483.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXg59sP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sgm29MB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\knF87yc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\447626370e05e837d5317db63c546ac8ace2292de1a812b9bdb17979475a3483.exe
"C:\Users\Admin\AppData\Local\Temp\447626370e05e837d5317db63c546ac8ace2292de1a812b9bdb17979475a3483.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXg59sP.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXg59sP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sgm29MB.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sgm29MB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\knF87yc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\knF87yc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXg59sP.exe
| MD5 | 35db8148107fe3bf89ab24c556ed7ab0 |
| SHA1 | 348c296eda7962519fb306ac54549dde186a9380 |
| SHA256 | 6bb084c0cd0c4e25a0e7a1190c78a5b6629e779408c00a1db434a931899ad21b |
| SHA512 | 4092a3bb26f08b8113f0b1749b4e25b203cc7e4cbf10a2f0019230fba53ed2383132b71f869069a9f654e43433399e4cba9e0117835884e608a100f0bf2c2994 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sgm29MB.exe
| MD5 | fb11758b58ad7fab3abb857a39382fa6 |
| SHA1 | 67345f74c0e7d14f0ee1e2a429e10e44bcdf6bea |
| SHA256 | a3f4ce45333e62b9fc2b5b235b84aea837765903c2278f3328e8d1d2cefd2341 |
| SHA512 | 6600328b2dd9f20b175939796a3dc9205a6b9aea2fd3fb1bf4e624981204e0fb3780a7dac294f8dd57417ba8bdf4b101e686debb8b99343d504ff7d36ef18cce |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iZi21KZ.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/756-21-0x00007FFEF6483000-0x00007FFEF6485000-memory.dmp
memory/756-22-0x00000000009C0000-0x00000000009CA000-memory.dmp
memory/756-23-0x00007FFEF6483000-0x00007FFEF6485000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\knF87yc.exe
| MD5 | a5f5c5d6291c7ae9e1d1b7ed1e551490 |
| SHA1 | 3d06413341893b838549939e15f8f1eec423d71a |
| SHA256 | 1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e |
| SHA512 | d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2 |
memory/1980-28-0x0000000000610000-0x0000000000642000-memory.dmp
memory/1980-29-0x0000000005580000-0x0000000005B98000-memory.dmp
memory/1980-30-0x00000000050F0000-0x00000000051FA000-memory.dmp
memory/1980-31-0x0000000005030000-0x0000000005042000-memory.dmp
memory/1980-32-0x0000000005090000-0x00000000050CC000-memory.dmp
memory/1980-33-0x0000000005200000-0x000000000524C000-memory.dmp