Analysis Overview
SHA256
ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba
Threat Level: Known bad
The file ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
Modifies Windows Defender Real-time Protection settings
Healer
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:44
Reported
2024-11-09 03:47
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe
"C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe
| MD5 | 31e49c076c9f5f481049d21f5d7466a4 |
| SHA1 | f1c8c843f27c49dac45309e51c5da71ea80d0354 |
| SHA256 | 4c59f0140a2a5bec54a47116ef8b46b009113e90e7cd837207eb82a73126dddd |
| SHA512 | c29eba3c70c7c51a7b2c05e46eab0c63fb403c8471fda3705022b927522e8b1287b91bf69a4d14804b8af5fa1a620af543ad973dfdf8fe2d195993fc490894cb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe
| MD5 | 6f9db12e693f874756df86591469c811 |
| SHA1 | 2ec5afc635c0f18d71ddecd7dbb6960ce7472f71 |
| SHA256 | 9b019b3da9f6f051ff2c823ebdcc6df3744e31e381ae8a38d06a14d5cc283893 |
| SHA512 | 2268d71baa74abc170851629bec6b484f9bc503a335dfd633c850350e06542ab5abb6750413ab1acd7c796c3681305e67b79af7e0090c81de67f6bfcc6882133 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe
| MD5 | 211d334d1a60cda7626157e350d84ff6 |
| SHA1 | ecd805b6bf786afb6d54af9ed6994b054cf06d0b |
| SHA256 | 04eec6e8f16c21184164a6656e34f509af70643572d4abaa53547c9627db35d2 |
| SHA512 | 58f3f9342ed2474f64296ed22d71cae29fa62d8947c884e823b0ee7459218309ce7d6402db7675dddd6e3b3424ff1a69efc2eb06cf3748865b4b6b9af151d75c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe
| MD5 | b9699518cc3eb473f1e40fa602fdd5f5 |
| SHA1 | 82f0aa154492521a3369cfbea9f433474e87ec80 |
| SHA256 | 9a44e92d9f91f46c440147b6ac59e8c7cd4d60a7d3bb2adb441eabe4dbe2e348 |
| SHA512 | 45c6fbb9a4e333583783ad01fa88415998ea1ab443f1e7e158b384981f71dc0e8f759ebdde7f72330652daf9a31faf3b3b6b0343cef483cdd0462216c07e31b1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe
| MD5 | 0230b8e0207c22f72ca5384d0dae0537 |
| SHA1 | c9d08bf47ef6e162c0cb7469a667af02ec6b2b75 |
| SHA256 | a8c034dd6336e263f91ed34e502adfeda4c77ad2d83a646d5ba0cbee1b8baa02 |
| SHA512 | f9ce412f9017b66e5b6f8c0c1f38dff9904941c4ab64b2461bd76fbf5101c7f350c5bfc314e943717493d1c552f28e51ccdf14766f671089e1e5332a701eb4fc |
memory/1540-35-0x0000000000010000-0x000000000001A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe
| MD5 | 463f0342eb5474bc19102d174e782a52 |
| SHA1 | b688ca055a9e17bcddb4795120d198771d7e1142 |
| SHA256 | c2cc1ff0910959f41320a8155bd4b8cc28a156c5ab9529f83ea0f741af1c432e |
| SHA512 | 63b3fb356d0f5bc7be1574990dd7de7c68e845e15356e4934cba291d8019a7dbfaedab28e9795f2d33af98982e715738ddf16ff96bfb2cbca7d05814a1d79dc3 |
memory/4104-41-0x0000000004BF0000-0x0000000004C36000-memory.dmp
memory/4104-42-0x0000000004C60000-0x0000000005204000-memory.dmp
memory/4104-43-0x0000000005250000-0x0000000005294000-memory.dmp
memory/4104-55-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-107-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-106-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-103-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-101-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-99-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-97-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-95-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-93-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-91-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-89-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-87-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-85-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-81-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-79-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-77-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-75-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-73-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-71-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-69-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-67-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-65-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-63-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-61-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-59-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-57-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-53-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-51-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-49-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-47-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-45-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-44-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-83-0x0000000005250000-0x000000000528E000-memory.dmp
memory/4104-950-0x0000000005290000-0x00000000058A8000-memory.dmp
memory/4104-951-0x0000000005900000-0x0000000005A0A000-memory.dmp
memory/4104-952-0x0000000005A40000-0x0000000005A52000-memory.dmp
memory/4104-953-0x0000000005A60000-0x0000000005A9C000-memory.dmp
memory/4104-954-0x0000000005BB0000-0x0000000005BFC000-memory.dmp