Analysis Overview
SHA256
e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a
Threat Level: Known bad
The file e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine payload
Detects Healer an antivirus disabler dropper
Healer family
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:05
Reported
2024-11-09 05:08
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe
"C:\Users\Admin\AppData\Local\Temp\e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe
| MD5 | 403590acef7ccdf70f55fdf7496c0994 |
| SHA1 | 2e762b9032c13228cc0235c1a50ad539fbeb1230 |
| SHA256 | e1050f700dd79de16c20265e4046fb99b0da169ccc1eec81ffb419bd43df56a6 |
| SHA512 | edbbdc7cfdd72de22e0fa0c020b9a45fdf214f54fa95cea8026b3fcc480a372e8ef25176369c17ceded0a8187966a1486e1d54c5d8490353ffe153b7b608302d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe
| MD5 | 978055ba83c978c57484b6f1e219400d |
| SHA1 | 099d49cb2542c08a904267e8f9caea8a76de2e9f |
| SHA256 | 3cc4f8d96fa25df91a332179bea01a5626c4904aba8282ed354c32a29f726b70 |
| SHA512 | 28343b649d6fb4a6b6797dcac796b5d4b828562b13bcf1c204adf6ac83d1388709f357a8541c7f96d3749153c15b24272adc391fb33a375d120a6c527e102219 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe
| MD5 | 2f308bf390af28ed2b6662502058d1e2 |
| SHA1 | de1bc67e7f32cfa421abd7524f4ebf5e81df93b2 |
| SHA256 | 493a79bb4f628ba88f24cbe8525041d4b1c30af5d7c30a1d09696b48be69f535 |
| SHA512 | 30ba7c0cd6865059588011485e194edfc7ca07f0b41aefe985c62f717c8dcc7618eb50049a5b210095b3d30dd5617479c03fc2f060ea4db5003fb8a419735040 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe
| MD5 | 87244a37a676c01e0a2958d73a793bcb |
| SHA1 | 847568bf3eea5bcbd85f6c1cfd602a17288af018 |
| SHA256 | d09ee75ffc43cf4f09800f5908cbb0f66632076de6227778dda592ef4381120a |
| SHA512 | a8ee046a93300fd853f6a335d0f0f64a68a3fc543b43a5df275457050556e2288d415cb764005114d5c7c88296efcde4cc6740f47cdaaa8741dca304aff4898b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe
| MD5 | faa8c750a0754306ebba1de6a09713d4 |
| SHA1 | 651b60e1738cdb8a7e673db124a11937a2861119 |
| SHA256 | ec581e5d4065bbe617ead07b47dc40a771ccafa3995dde739bb58f1e4739df9a |
| SHA512 | 82d57b3858d2a90708fcf45a329d05e86e38141381742b758608e0536d7b382fa35540744b451efad008de78a51eb1e52ad09605a856618ddef70dd7adb6da67 |
memory/1648-35-0x0000000000CA0000-0x0000000000CAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe
| MD5 | df8b658ff430e07a3083de9d55e38d9f |
| SHA1 | a1c69254ba895096f75660ca5c9c09f46486e65f |
| SHA256 | 885045b17ae6220ea794be50c2290b1c771323b5ff3680879e7d2bd8d1576a74 |
| SHA512 | ce534ec18d6e3f3f30a21c0749818ae89895281164262fe118610f4609d98d78f3164659cc8114d2d4767eff56cb446a118b72488982989c0e722fff8bcdae8a |
memory/3124-41-0x0000000002620000-0x0000000002666000-memory.dmp
memory/3124-42-0x0000000004E40000-0x00000000053E4000-memory.dmp
memory/3124-43-0x00000000026D0000-0x0000000002714000-memory.dmp
memory/3124-44-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-59-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-107-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-105-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-103-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-101-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-97-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-95-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-93-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-91-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-89-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-87-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-85-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-83-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-81-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-79-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-77-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-75-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-73-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-71-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-69-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-67-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-65-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-63-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-61-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-57-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-55-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-53-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-99-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-51-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-49-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-47-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-45-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/3124-950-0x00000000053F0000-0x0000000005A08000-memory.dmp
memory/3124-951-0x0000000005A10000-0x0000000005B1A000-memory.dmp
memory/3124-952-0x0000000002900000-0x0000000002912000-memory.dmp
memory/3124-953-0x0000000002A40000-0x0000000002A7C000-memory.dmp
memory/3124-954-0x0000000002A80000-0x0000000002ACC000-memory.dmp