Analysis Overview
SHA256
150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238
Threat Level: Known bad
The file 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
Modifies Windows Defender Real-time Protection settings
Healer
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:07
Reported
2024-11-09 05:09
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe
"C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe
| MD5 | 63006e779a1321af9fc63a4f5e08d1ff |
| SHA1 | 7c4207fe719e32627fd1f863f77f0c2b24971f5c |
| SHA256 | 01bc15a2a4eec2e8de037392ce4ca1f1416fee9a86c482c24fb6644293d65205 |
| SHA512 | b4dfb6dda517ec06280a97d7a00bb30c209db8cc2728e176dabd881aa2079c24859b48da939941ffcaf7a93a7f72e2a30278b15e8c369d96b7c28d72846a8063 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe
| MD5 | 7801bb449714abdaf33bc82bf77eea7f |
| SHA1 | aef687a3bf80ba07c64acd53d072263317bbd39b |
| SHA256 | b66b400f860479d01b647e1ce479bf2355e3ea1d1666234942aa60214d4edb78 |
| SHA512 | 9c9b9666816c93e5e9f27866f826037e3d8e27f98102467f25d0ba2dabee22c0e787c457077a425dc453ad549e29fa22871b81de68469685ec42ce35b3a88442 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe
| MD5 | d2f2658e42a8fa6249f5f49a4054f33c |
| SHA1 | eeea2356f581cf1576b96d61cd7635f193ff8513 |
| SHA256 | 875624098547ae7e8210b5c345700e12196d06b66888fa41204efda37423011c |
| SHA512 | 7ac142ca44c73a0805299d49e5611d4c8e1e2c989032de2016d7961fa113b4addd46ab4e3b3bab9c72acd38c7c30aa9ae8472df041f5366b1f4226e76de7b285 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe
| MD5 | ec3aa3fc265d64c3372c94191d8fed99 |
| SHA1 | dea70c2a00754a52cfcada8528c26384950583fe |
| SHA256 | 4e8295c6a816b69c0e74a96c706dcb373f740d3f47d4de63881f68843f921bf3 |
| SHA512 | a804a2e9cacfded79118b9e08ff22d737c53f424295b8bee52a8afb792bbb31258ad4aeba110fcc0aa8807ad222c88bb417f483c581d0e5b3e912a514289664a |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe
| MD5 | 1d961f38462df3d93ce0a4773ba8275b |
| SHA1 | 2ea2ce026296b7fc1988e9e962df91b23c62ace7 |
| SHA256 | d789a63d78a848dcb7770511716005b924a6502ec3ea6eead783ec270ef3a91f |
| SHA512 | 8dcca398e0b6eff2c4b1671d522d4be49d24850a6146d7a8d67b72bc887ead80d80ae91fd3a18b867e1c2a68b29ca8f4638311f8e219a9844c1942ceb5e2e3a6 |
memory/5100-35-0x0000000000CF0000-0x0000000000CFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe
| MD5 | 8543cf3384382f56703a6ee451ac68f3 |
| SHA1 | 353211899c2c986e0d038a11f566e02e3113e113 |
| SHA256 | 2f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf |
| SHA512 | 609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186 |
memory/2756-41-0x0000000004A00000-0x0000000004A46000-memory.dmp
memory/2756-42-0x00000000073A0000-0x0000000007944000-memory.dmp
memory/2756-43-0x0000000004D80000-0x0000000004DC4000-memory.dmp
memory/2756-59-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-107-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-105-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-103-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-101-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-99-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-93-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-91-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-89-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-88-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-85-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-83-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-82-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-79-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-77-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-75-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-73-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-71-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-69-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-67-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-65-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-63-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-61-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-57-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-55-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-53-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-51-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-49-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-97-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-95-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-47-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-45-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-44-0x0000000004D80000-0x0000000004DBE000-memory.dmp
memory/2756-950-0x0000000007950000-0x0000000007F68000-memory.dmp
memory/2756-951-0x0000000007F70000-0x000000000807A000-memory.dmp
memory/2756-952-0x0000000004FA0000-0x0000000004FB2000-memory.dmp
memory/2756-953-0x0000000004FC0000-0x0000000004FFC000-memory.dmp
memory/2756-954-0x0000000008180000-0x00000000081CC000-memory.dmp