Analysis Overview
SHA256
8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7
Threat Level: Known bad
The file 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7 was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:47
Reported
2024-11-09 21:50
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe
"C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe
| MD5 | f003153796f70e87fdf82c03b69c67e3 |
| SHA1 | df3bfa6dd79848814c54d3b4e3ad6a7ffbc89c17 |
| SHA256 | 9b41fd3db882884ed682679a542f29449f17fc9c66c3a4a751e308dbdb0a5bb9 |
| SHA512 | 2c69211c098219cf8ecfcdb18c24d19545bf1085aa4bfa65c530f5402463aaff4731687286b9228740ef6dfd2c3c4b8b1d97d0a1b7c40d4bb1b8cf24e11c6044 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe
| MD5 | bd7aad6029dd31a1044d70254b6757fc |
| SHA1 | 5ced6f16380ed50f684b20c464832a16735eba84 |
| SHA256 | d00cf2953ee6328d0b3daaa61056a93100ca46e3a9796905744d446a886adf6b |
| SHA512 | fe66275dd5f1d6c6b960a95ea3590c384f04baaf247224471a226c5cd786af7e7259764c626b669c4aaece8a01f1596231abb59994ab17e645e81e825ba7b29f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe
| MD5 | 9e5806e118d5cf37a1b69b9ef3cae97c |
| SHA1 | 6aaf49fee6e81f30385addb960351df1651e1578 |
| SHA256 | c2de137b70bad720eeb2ebf1e952dd3aeba45083875240674926227a34b138e0 |
| SHA512 | 98e21af720a08495f335c7c3e983e8da37a92825ca1d81797087113b01f38c0949f2dd7e385b60733b8718b50fdfae045ae59c45a923874b49d7f0e0a1ebc286 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe
| MD5 | 33e54a633f912b08a6d143e489dddc2c |
| SHA1 | b9f9a8eca74148c1815e5c3f7381b331112d7bfe |
| SHA256 | aa195070ece625d3cc583cb26ccff74972768ccfe965cd3055b61c65f6bb21f0 |
| SHA512 | d7991c6ebc000baaaca1a876da423b5a34e637cbc428f252269e852f0fda29c4221166f1c7d6ab6e2077e69da656c0c08cd81443eeed8ac4774a404ebc735413 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe
| MD5 | 96e6d9a63a0c85a0e6b1cda3dca13ddc |
| SHA1 | dad3842c8548ea821bec9a765d353b7a15f2a042 |
| SHA256 | 6238087f85028aa0170f4e8a55bc0d29138c9dc9d8c1fdcae4d4b57c2d134178 |
| SHA512 | 84957495bf0b2ad4dcb537c60d774754f3e35b0c5445c81d5a275a98b13a83c71209c636c59dbc609f81903a1c5e6d5f23fd1dc3a33fe0220b839edaa8e411b4 |
memory/3164-35-0x0000000000360000-0x000000000036A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe
| MD5 | 12a07204bf4c65efdd968689ed260c4e |
| SHA1 | 8430e5110448dc962c4191a1a06b05c4e3c1a140 |
| SHA256 | e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b |
| SHA512 | 61dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a |
memory/2184-41-0x0000000002750000-0x0000000002796000-memory.dmp
memory/2184-42-0x0000000004C50000-0x00000000051F4000-memory.dmp
memory/2184-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp
memory/2184-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-104-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-78-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/2184-950-0x0000000005200000-0x0000000005818000-memory.dmp
memory/2184-951-0x0000000005860000-0x000000000596A000-memory.dmp
memory/2184-952-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/2184-953-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/2184-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp