Analysis Overview
SHA256
51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795
Threat Level: Known bad
The file 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795 was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
Healer family
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:47
Reported
2024-11-09 21:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe
"C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe
| MD5 | 66fc2fccab41154dd1692cf3dc402f04 |
| SHA1 | a7e9d3dca110b58ae9d94d76bed76d027671c55a |
| SHA256 | 33ef0d6c87d4300ab29e4bebd2ae6bdfd994153c7c4acec0cb508b9040ae1310 |
| SHA512 | b7579c5b6cf9e02025f15e99af5647b8b7403068d6b3de225bb3d48a0e88c9f2610bc9e739f954a166c07a25653fa8d3102d7babf2a0a46d78323829acac0a7c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe
| MD5 | 2b8cdcf379b6154ad54a20da79acf99c |
| SHA1 | 6d32cfef1047eb057e65a5dae2a3bec672c9eb75 |
| SHA256 | 28994a1c971308756dcc57d4a5713a47bcd12d7a67868860bc3b399b7032e2aa |
| SHA512 | 74b037fbd607a9a519599433d0898b492ccc4a05b4331599c52727148bf39745bae03057dc00ee5917fb82cb8634a007680c47744ec4e0bba89ffb439e73f814 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe
| MD5 | 906162a64c40ed824ea68f25f2c8f0a3 |
| SHA1 | 228308df9cff615b9be308f064f9b5b18193c7e1 |
| SHA256 | 2ecc945d7ae3c7e5ccff80223284ce9c637a46545556aae43ca4a8d88c801655 |
| SHA512 | c87ee814dc7f3f38ddc5eb1f2ba365081e18351dee54dbafd416ae535e1e6ef76120127b323787ab7ddd90d388a10891443753f79ce8d17f02a81db32ac791c6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe
| MD5 | 76989d4a2115b82a2049cdb33100157a |
| SHA1 | a88856b86bd4d4740012517c0fbfdebaccebe04a |
| SHA256 | fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4 |
| SHA512 | 19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6 |
memory/2396-28-0x0000000000270000-0x000000000027A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe
| MD5 | f3855c4eadab09dffd655f592be5e9fb |
| SHA1 | 59f051e8d1dfd6784e4a2f84b3acf535b814009d |
| SHA256 | 5f6c4ea9d0babf1692ddbdd16e61b0b70c3e3776ad1673414663104d1ce536db |
| SHA512 | 2f4b3f7d9959319f4fa60bb7624465afd73f9c8e0665f4563fa04e2f5704b957d58975d9758f1d1b30bb1f02c7fa8515b2a2f8f80084d9a120142dae0fc2c4a1 |
memory/4976-34-0x0000000004AF0000-0x0000000004B36000-memory.dmp
memory/4976-35-0x0000000007350000-0x00000000078F4000-memory.dmp
memory/4976-36-0x0000000004CE0000-0x0000000004D24000-memory.dmp
memory/4976-38-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-49-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-100-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-98-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-94-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-92-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-90-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-88-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-86-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-85-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-82-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-80-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-76-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-74-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-72-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-71-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-69-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-66-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-64-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-62-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-60-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-58-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-54-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-52-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-50-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-46-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-44-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-42-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-40-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-96-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-78-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-56-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-37-0x0000000004CE0000-0x0000000004D1E000-memory.dmp
memory/4976-945-0x00000000072F0000-0x0000000007302000-memory.dmp
memory/4976-943-0x0000000007900000-0x0000000007F18000-memory.dmp
memory/4976-944-0x0000000007F20000-0x000000000802A000-memory.dmp
memory/4976-946-0x0000000008030000-0x000000000806C000-memory.dmp
memory/4976-947-0x0000000008170000-0x00000000081BC000-memory.dmp