Analysis Overview
SHA256
b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37
Threat Level: Known bad
The file b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
Healer
RedLine payload
Modifies Windows Defender Real-time Protection settings
RedLine
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 12:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 12:50
Reported
2024-11-07 12:53
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe
"C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe
| MD5 | d4809a999631efe7cc9443a9f3fed079 |
| SHA1 | 14b6d712f08bb273fd22afce2ad32619c5368b5e |
| SHA256 | c67627ef66f20893d8d1f7c77a43aa09f586886f81e2fcd6788005075402c5f5 |
| SHA512 | 153c0dbcc470444fe92456980af8015599b1c916e4d47482580c7787ffd97a04045cd9effd4cec2abf1e4ae9ec8fb58766d32d36a18a2f9b1817f51e7698558f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe
| MD5 | 9f5c7eaaca4dd25798397e51e73b1fe7 |
| SHA1 | c1da599a37189854de9087d3ef5821bcb5410068 |
| SHA256 | c2bf7bc62d1cd5efdd17e9afa4fac6093e6375c547971a107fb1b2bf141261a9 |
| SHA512 | 241b697fe4b51d5799139da78255f3df64f03c1e54f9df8585b0ead4f991706dbdb74fd66349401882b8e184e2c204099a5db59727821ad45d5062329c297969 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe
| MD5 | 130bb20bbeee80ff5b2a07bff0795c64 |
| SHA1 | 98bb27c1370465bd1c1361714e0cfac9c591035b |
| SHA256 | a669c2e5e8d72e887926f5ee66de3032730e433b867fee0143e2fdc44059decd |
| SHA512 | b8d4320b765202bc3459360de83ee519b711c3d2c043f109ab377846aedf57e72ae058c40615f8811c1ae2abf47141371def5583134eb29fc4e79e0f0fb26c02 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe
| MD5 | 6b32fa9f5272a83ceb3f05207a463819 |
| SHA1 | 798a35e9ea7d24e61351abffd312c37b7ee1045a |
| SHA256 | 41aedc3e975128a3476e2bd9140c729d88e14d2da0b08857be9172b6984884e6 |
| SHA512 | 1312da29742211db5870fee66c49d9b8558bc808dc22fd4990b98d8b6e20045096c926db28bbfaceb95c31c5f80943760fd8ad80bedaafe0edefd4b0dfc54b0b |
memory/2092-28-0x0000000000660000-0x000000000066A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe
| MD5 | e5e97fd2974a50b5a07e32634aa8c336 |
| SHA1 | c841973581b669ce53d079feae3bfc163eac3d48 |
| SHA256 | 934f074101777f99e03a4671dfba2384942017a561be032adb310ac2aaf317e7 |
| SHA512 | 9ce9697c2d5d18313dbcc463f3c6691f28783ff4a1671f205b8a4c5464adb2970fd34d279810266a814b65157e691fe7da59bac25da5a994ed15f35716a07e4b |
memory/2400-34-0x00000000049D0000-0x0000000004A16000-memory.dmp
memory/2400-35-0x0000000007360000-0x0000000007904000-memory.dmp
memory/2400-36-0x0000000007190000-0x00000000071D4000-memory.dmp
memory/2400-51-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-48-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-100-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-98-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-96-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-94-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-92-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-90-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-86-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-84-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-82-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-80-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-78-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-76-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-74-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-72-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-70-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-68-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-64-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-62-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-60-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-56-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-54-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-52-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-46-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-44-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-42-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-88-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-66-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-58-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-40-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-38-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-37-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/2400-943-0x0000000007910000-0x0000000007F28000-memory.dmp
memory/2400-944-0x0000000007F30000-0x000000000803A000-memory.dmp
memory/2400-945-0x00000000072E0000-0x00000000072F2000-memory.dmp
memory/2400-946-0x0000000007300000-0x000000000733C000-memory.dmp
memory/2400-947-0x0000000008140000-0x000000000818C000-memory.dmp