Analysis Overview
SHA256
227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2
Threat Level: Known bad
The file 227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine
Healer family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
Redline family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:47
Reported
2024-11-09 21:49
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe
"C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe
| MD5 | a89ade95c44340d9ba86e947aa047681 |
| SHA1 | 8f869081f1fe3724dacb0ab2d8b4d6bdd57c4d89 |
| SHA256 | a5fcb36cb7dd6940a4904551359e69e3cf3b321c7ebd4779d905e133a3bc52df |
| SHA512 | 9bba94890635de9e9cae87111b7c09f1104aba1816deaff5837ec362927981104091204bdc546a6abc10b99cc8a422a84c8c4a4c6e5c384b66e399d6d91d666e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe
| MD5 | 0a3d59173bc50e605c828c11c1bdefe7 |
| SHA1 | ef6bac750cdd66820f3d387fb1bbf78de2a4c47e |
| SHA256 | cebeff134d3d7f0f446456d57545060a94054e4b63c9fef4ae9d466fbceaee22 |
| SHA512 | c8c91a29df197a18768ffd9ea3e04a1cbfd781ba4575eba8940002adef7169a4720ad622e337479c9ded4283a9940142ab65bb48b57cfc81590deff8bd9cf79a |
memory/2136-14-0x00007FFCA10C3000-0x00007FFCA10C5000-memory.dmp
memory/2136-15-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2136-16-0x00007FFCA10C3000-0x00007FFCA10C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe
| MD5 | 0b1fc7b6b5f423e268221516747427e9 |
| SHA1 | 46193a7985ffd4b645fb2abf9eb10bc11a78a537 |
| SHA256 | d798407025621d1aab6e51a2cd6b6b8db9b0832b5ff932001ae3a42789c69bc2 |
| SHA512 | 120304b76de795816e47f07555c149c65dc52a152b92dafc5f5e4ff4dc4c09e8a1ca3b71c043d0cecb2f4c74e434ba0ec9ae4bd15a3cf22bb880326c77be02e8 |
memory/3980-22-0x00000000024B0000-0x00000000024F6000-memory.dmp
memory/3980-23-0x0000000004C40000-0x00000000051E4000-memory.dmp
memory/3980-24-0x0000000004B90000-0x0000000004BD4000-memory.dmp
memory/3980-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-36-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-932-0x0000000005860000-0x000000000596A000-memory.dmp
memory/3980-933-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/3980-931-0x00000000051F0000-0x0000000005808000-memory.dmp
memory/3980-34-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-32-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-30-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-28-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-62-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-934-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/3980-26-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-25-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/3980-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp