Analysis Overview
SHA256
d640814ce5ae33e49b59badaf67a23a361350c9bf6f494fb31e74beabc015668
Threat Level: Known bad
The file d640814ce5ae33e49b59badaf67a23a361350c9bf6f494fb31e74beabc015668 was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
Healer family
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:02
Reported
2024-11-09 05:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3244178.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5046496.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d640814ce5ae33e49b59badaf67a23a361350c9bf6f494fb31e74beabc015668.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3244178.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d640814ce5ae33e49b59badaf67a23a361350c9bf6f494fb31e74beabc015668.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3244178.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5046496.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d640814ce5ae33e49b59badaf67a23a361350c9bf6f494fb31e74beabc015668.exe
"C:\Users\Admin\AppData\Local\Temp\d640814ce5ae33e49b59badaf67a23a361350c9bf6f494fb31e74beabc015668.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3244178.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3244178.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5046496.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5046496.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3244178.exe
| MD5 | 8a976403106004f90e4a795d3b34c09d |
| SHA1 | 4ab41631fc6ce7ba7287939410b20402abcc4729 |
| SHA256 | 3d679799fe4394c494c20c4b72eda7694f14c609803a6ab5cdf82cb861d1b4de |
| SHA512 | f02b70aa460432fbe6d48fa29e9e00ed771717582807f7f378bcbe12206cfeea811811465b8e3e0c1445ba4998bc150a54cd8659a36538ad868581c056ebea6d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7202552.exe
| MD5 | 25fbff18e7d41d0f982e9e84970b6bbb |
| SHA1 | 07a1b741af0acd2298deeb4b6cdbd0fa138c1f94 |
| SHA256 | bc0225f07de9985add7446855da466942efbb69514827913b7e67ff2937289d6 |
| SHA512 | 71cb4f3c47c6ab8d7ec8e5dd7b9e3305dceec931a674f58aeec700eb76adde26ad59392ada7e278d36bd9b4f6dfb266926fcdd9b8ff8d06f7e04fb11dc81e3a6 |
memory/3064-14-0x000000007413E000-0x000000007413F000-memory.dmp
memory/3064-15-0x00000000021A0000-0x00000000021BA000-memory.dmp
memory/3064-16-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/3064-17-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/3064-18-0x0000000004970000-0x0000000004F14000-memory.dmp
memory/3064-19-0x0000000002410000-0x0000000002428000-memory.dmp
memory/3064-47-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-45-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-43-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-41-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-39-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-37-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-35-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-33-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-31-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-29-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-27-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-25-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-23-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-21-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-20-0x0000000002410000-0x0000000002422000-memory.dmp
memory/3064-48-0x000000007413E000-0x000000007413F000-memory.dmp
memory/3064-49-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/3064-51-0x0000000074130000-0x00000000748E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5046496.exe
| MD5 | 4406c28443dacdf7b195aa72a2e62761 |
| SHA1 | e98404f385abfabc8b707c05adb20ada987e0cb6 |
| SHA256 | 83ee5c178df11830a221ca4380ce7df7c37a90939071a9cfc484c56bff8c3d88 |
| SHA512 | a0fbf4971c71bc3dfb9cabb71636258f57c746016552e97dbcb7f86417d18f3ba71dd949b1dd4ad9b97f11ae664937ab93912850aec5d145adb0deff92345f44 |
memory/4156-55-0x0000000000E00000-0x0000000000E30000-memory.dmp
memory/4156-56-0x0000000002E70000-0x0000000002E76000-memory.dmp
memory/4156-57-0x0000000005D50000-0x0000000006368000-memory.dmp
memory/4156-58-0x0000000005850000-0x000000000595A000-memory.dmp
memory/4156-59-0x0000000005780000-0x0000000005792000-memory.dmp
memory/4156-60-0x00000000057E0000-0x000000000581C000-memory.dmp
memory/4156-61-0x0000000005960000-0x00000000059AC000-memory.dmp