Analysis Overview
SHA256
5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286
Threat Level: Known bad
The file 5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine payload
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:55
Reported
2024-11-09 21:58
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe
"C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe
| MD5 | a5c8a8494de272d852dd4999d1e329c4 |
| SHA1 | 3881f72ecd48ec71f036aac4ee997d7e56ab19fd |
| SHA256 | 488ec3515d3f54b83bba6b4f711fd5c779909cc9f1d4ad9522d86f47e7338ec4 |
| SHA512 | b15c2d053c90b56d980ab178ffc3d828f17d94518b03b942cba29fa5a49aeafe64b6c96d0a1f3948b8d71928d44fc3b834e6b5595536d2b81d8c8796c18f504d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe
| MD5 | c0d68b9a50930ad08ed8e6f5ea124661 |
| SHA1 | 129ed97386ca1c6f17d66d45fa7c3132946d5c9c |
| SHA256 | 02464048dc6d7e00c7e09c38693765d48bad3b225acdba3cf058bdaedb6793e6 |
| SHA512 | 29c3cbbd9368daf16145f61c6479a2ac73efccdbb2789e0a7d868a8f0c15a3988bf1f9f4bdd3a8da2fd5c923e3521c21aa5a89955967583e9a3756cc1f913892 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe
| MD5 | 01d082d4f8da86e0d73f9c31a5db7db2 |
| SHA1 | 702cb6db6539f46416a99ccdc2e6cf14373cf59c |
| SHA256 | 207248d5470886f01f24ef4485948cb5b7a7e46302260845f22b142781d002e8 |
| SHA512 | 27677cba1978510bb50ab5125dde3c372f471122bfb222297a025a4913255b054546b6d1c69a08eb1d080022ba93c783ff3007ae57554442841ecb6cfa3628b8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe
| MD5 | 570bf6b234976a49820fc98aa4463b22 |
| SHA1 | ad937493cf4ef098a946c41ce7db823d9d75994b |
| SHA256 | db168f0c96afcfd1d5c55d1990711688c9d13877c1e816cdadde38eab388715e |
| SHA512 | 9d0381f8e8ba41db0976628465c6da2500ba8a357d5bcc21a579e7f4fd9ba66b4017206184cdcc55ba06ab479adbed8073bebd14fef4fe7fc0d1f6c10429e132 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe
| MD5 | ee80b3316cd5c83b97e0e8bb9c39ba53 |
| SHA1 | 16f11a4f64ef79d2b1372733a1e87b37cc67d605 |
| SHA256 | f891ef3396e701000a6154ab62e73d8bcd0d98d4b4237375e44a33ba71f1798a |
| SHA512 | 8b1441586261d3b0b30172bd585a72bf55bbaa1fe142ee4ced239dac145d927a0438ff6e3268e5761c5400b9c97d292aca3728f71725656ba7ecf6eeef51b097 |
memory/3492-35-0x00000000048D0000-0x00000000048EA000-memory.dmp
memory/3492-36-0x0000000004970000-0x0000000004F14000-memory.dmp
memory/3492-37-0x0000000004900000-0x0000000004918000-memory.dmp
memory/3492-65-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-63-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-61-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-59-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-57-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-55-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-53-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-51-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-49-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-47-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-45-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-43-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-41-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-39-0x0000000004900000-0x0000000004913000-memory.dmp
memory/3492-38-0x0000000004900000-0x0000000004913000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe
| MD5 | 9006af2a5fefcdbfe6e5df6b1513e9ca |
| SHA1 | 5b44a57ecf622a39cd474523e8ed049457b57cde |
| SHA256 | ae970429e71e6ded80d3e3ecb49fab71da70ed1e1c7c1d311b71759c9094e854 |
| SHA512 | 43751285cebc580f73bc735c8dc09c8bf150e16571cf14ea592a37dd865610e0083f43c1efa91151fdb432961e940370e8a8f5d93f5617501c08768eeca82cc8 |
memory/1436-70-0x0000000000E20000-0x0000000000E50000-memory.dmp
memory/1436-71-0x0000000002F90000-0x0000000002F96000-memory.dmp
memory/1436-72-0x0000000005D50000-0x0000000006368000-memory.dmp
memory/1436-73-0x0000000005870000-0x000000000597A000-memory.dmp
memory/1436-74-0x00000000057A0000-0x00000000057B2000-memory.dmp
memory/1436-75-0x0000000005800000-0x000000000583C000-memory.dmp
memory/1436-76-0x0000000005980000-0x00000000059CC000-memory.dmp