Analysis Overview
SHA256
c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b
Threat Level: Known bad
The file c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Redline family
RedLine payload
Healer
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:59
Reported
2024-11-09 04:01
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe
"C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe
| MD5 | 88a7c440ba6a258395f7ba5e6db29263 |
| SHA1 | a4e89c322c4607e4ff04e7f10279654a9cf82e45 |
| SHA256 | 3fe77d9168812401c9498315680fd14eb7f2edee8d5ee4a4e131662aab84d4b0 |
| SHA512 | 30e347c9731320d814fbe8a2173716e8ea2c3ec42440b5a357914d62b2b52d12dd03cf36ff3f176a197f10deadf9e854ce4d202431610c79154f6c31f6c3504e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe
| MD5 | 644a35ccced75f6bbe3d9c44a83116da |
| SHA1 | dd80400673cdc473f17366985c9a70c77f966b89 |
| SHA256 | 8b7c95094da886e8f300b9abcef7154481ef7d216509963eefd2558bab8bbe94 |
| SHA512 | 3b515b14055602198ebc05c0b39689f2611458dc18cbc57a9c10f85b99ea7fc3185d6792157f8938a70ebacba7bab8ce78ce09b104de758c6c4a626db9fff693 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe
| MD5 | 0b92bb24bef10d276a17fed51356cde0 |
| SHA1 | 4e7449c5c560da1ea69dc7d5de97eb3fe2b760d1 |
| SHA256 | 782d4b75582a09f7a110215642a63dafb809040bc4c2a46e5f54bb3c54d41f4f |
| SHA512 | 25d229062a4b120f74d122d50f8f4bc7f80344cc8d40fd47a715a350c76201e0d8110c57d99362154cc8a45bbd965c7b28193623a384566d0c6a0a1c89afaee0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe
| MD5 | d6f6093082c377a3e22482c71d79d950 |
| SHA1 | c8ddb15edf2574ed9c20f69c7e541fdb1381b776 |
| SHA256 | 7736a59d4b323253f2a35f178d1cf2f43a3242a760dd18486dc85f19a1b14bc7 |
| SHA512 | 54377e8b39d150d04ae81621a30de01e8a19eb8d82b8b6e980acb2213cd0f4da2c4b8408726965d72eda1df3281a8bc9740ed09cd60cc7c87b08dd5023bd5ae7 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe
| MD5 | d5ca0183e104522dc8688b9fde6384f9 |
| SHA1 | 13de197195327a0cdd466a034c4fb050053df1f5 |
| SHA256 | 2f834a83b7e3794a930e3ac9ec6ba824ee9119e105d23f5aa7e04ee555688a98 |
| SHA512 | 17d596f00ac5cc3481f69fd6d67463e7bbf9a34d4795143fc239b9a882fe0771865919cda9257a28e03ae02ebd63665a68e43412fec01e92e5f7aa662663a22a |
memory/800-35-0x0000000000B60000-0x0000000000B6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe
| MD5 | c20ade32de13d71d0544db09353ae664 |
| SHA1 | 2360c19884041d41655172027c5ae07d537e01b4 |
| SHA256 | 680ab026b99110c40b7082b3d30fa3f74ee17d49c1b6b3d97cb72ba4cf3323fc |
| SHA512 | c09973e49b5d30ad8f3528913c73394e5144eaa857bdcbc05186a65bea1a5dc6c937e58d7e2ec2fb2aa017af312f678fad5b857c9fa988a7d78a04abfbe512aa |
memory/388-41-0x0000000004AD0000-0x0000000004B16000-memory.dmp
memory/388-42-0x0000000004B80000-0x0000000005124000-memory.dmp
memory/388-43-0x0000000005170000-0x00000000051B4000-memory.dmp
memory/388-47-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-53-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-107-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-103-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-101-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-99-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-95-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-93-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-91-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-89-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-87-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-85-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-81-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-80-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-77-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-75-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-74-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-71-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-70-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-67-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-65-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-63-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-61-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-59-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-57-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-55-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-51-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-49-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-105-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-97-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-83-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-45-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-44-0x0000000005170000-0x00000000051AE000-memory.dmp
memory/388-950-0x00000000051C0000-0x00000000057D8000-memory.dmp
memory/388-951-0x0000000005860000-0x000000000596A000-memory.dmp
memory/388-952-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/388-953-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/388-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp