Analysis Overview
SHA256
aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0
Threat Level: Known bad
The file aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
Healer family
RedLine
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:46
Reported
2024-11-09 21:48
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe
"C:\Users\Admin\AppData\Local\Temp\aec82aaa0df20d7580f7f2704eef687944f062eeceb654be4ff434de05c0cae0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki676630.exe
| MD5 | 6c1fc4e11b2e5f3830374bd4c888aee7 |
| SHA1 | e955ea2936fe82a74498fe87d8c2d78765a500d2 |
| SHA256 | c92862336197bdd6ab684d25f3009015a4cb7771d3582bea2636fe2d01b2916f |
| SHA512 | 93c4d3e0809f6f7f9cb8645788f7c1e5b252fb2319e0b68a87e53b3430622fefb65bd33084fc63266666f2fb70a2dfded1494300d5fde5484743e62d134d1998 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki927539.exe
| MD5 | c3cfc15ca13a3c8b67788c1b636675d5 |
| SHA1 | eaa612b228ae629c1b23bab4b89831ac7c67e1b9 |
| SHA256 | 69c87a4719943a32794f61ed63b2a7c6340808bc4db639b55bfd65d377781d48 |
| SHA512 | c2d90e3b6b76f3b2b23ce2db38eea21c6d0a9c0e455fb1394b9358f5eabfdc613161afc6368bb0b5f1d7031e6749ef46ee4ba27fa739ba3a9f0949c751bac1bf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki784693.exe
| MD5 | b0912b2e5df619683116c974d74b48b4 |
| SHA1 | a617da6cacac58fa7fd7878c85834f27b37c9fa7 |
| SHA256 | 5e9338b90316c66a200f6b51342f9cb89c8ba4b71fea90bf902228115e1437af |
| SHA512 | 443cb795bace6782aa438972134664002d99a97d462e732711f7db2a487adb6c4d92fa9cc09d67f7cd631d2b40c32547c24e5e9545ec750607f471d349e03432 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki189772.exe
| MD5 | 5ed4826a261478b64307fa31f44baf6d |
| SHA1 | 69928fa8e89b424e7a7014fc8dc776a96b193b29 |
| SHA256 | 90e6dd2bf491996bcffeae35f264e60a77ef53bf441c43914cfa9bafa4adc658 |
| SHA512 | 382e63f80bbffad21a8023c5b1cc3c101f5cbb46c7c12b2b3f2e962857391fff1beb200e7c7b658f13f0a227b2db7cc3911f53506d0dbc6e2951777b82d2b67b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az703803.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3256-35-0x0000000000080000-0x000000000008A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu591768.exe
| MD5 | f6ef33ae56ea76020ddb3bb26512e59e |
| SHA1 | 86a1031d48890b80b7bda9020cefd0eb0a1fe5a9 |
| SHA256 | aaad047c831fa83f3de78ba7fc938adbc8f59d0d830098bfaf0eb79399ea55ad |
| SHA512 | 3273af9534a3805a1787c8ce08e8d44ff771a4617c107dcce30d9c92d2ab7f3ca17b5b35ec18fa8a140abc44135ff6ec5b050392863ce864cc214d7926d8b2b9 |
memory/4224-41-0x0000000002900000-0x000000000293C000-memory.dmp
memory/4224-42-0x0000000004E90000-0x0000000005434000-memory.dmp
memory/4224-43-0x0000000004E30000-0x0000000004E6A000-memory.dmp
memory/4224-107-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-105-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-103-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-101-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-99-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-838-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/4224-839-0x00000000080E0000-0x000000000811C000-memory.dmp
memory/4224-837-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/4224-836-0x0000000007900000-0x0000000007F18000-memory.dmp
memory/4224-840-0x0000000002740000-0x000000000278C000-memory.dmp
memory/4224-97-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-93-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-91-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-89-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-87-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-85-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-83-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-81-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-79-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-77-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-75-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-71-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-70-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-67-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-65-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-63-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-61-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-59-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-57-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-55-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-53-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-51-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-49-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-47-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-95-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-73-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-45-0x0000000004E30000-0x0000000004E65000-memory.dmp
memory/4224-44-0x0000000004E30000-0x0000000004E65000-memory.dmp