Analysis Overview
SHA256
39da8093e2fe705edaebed4a88337c7772b993ba9a1d605facf112309e58f54f
Threat Level: Known bad
The file 39da8093e2fe705edaebed4a88337c7772b993ba9a1d605facf112309e58f54f was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
RedLine payload
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:18
Reported
2024-11-09 05:21
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vksJ8759nL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEX66pG09Fz.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\39da8093e2fe705edaebed4a88337c7772b993ba9a1d605facf112309e58f54f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vksJ8759nL.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEX66pG09Fz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39da8093e2fe705edaebed4a88337c7772b993ba9a1d605facf112309e58f54f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vksJ8759nL.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEX66pG09Fz.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39da8093e2fe705edaebed4a88337c7772b993ba9a1d605facf112309e58f54f.exe
"C:\Users\Admin\AppData\Local\Temp\39da8093e2fe705edaebed4a88337c7772b993ba9a1d605facf112309e58f54f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vksJ8759nL.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vksJ8759nL.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEX66pG09Fz.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEX66pG09Fz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vksJ8759nL.exe
| MD5 | b613a44fe3110db50bd7006dbf785a10 |
| SHA1 | 7f6f853ecea4a40305389e3b901c48665a65be0e |
| SHA256 | 4f4734f2e85e0fd2e0896c97a379fe20c06dcd08e2db15b89b2ed82ebd0c8294 |
| SHA512 | f003700c780a040f350e30653754a4725ff155fecc8f1b31222e3450c6e0138cf3b69bd06c8353d264a7566f400fafeee7cbeec7b98cd5360cbbb362429a72b9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw35BL83Lw48.exe
| MD5 | 1d66902683bc3c462d751d2f92fc8db4 |
| SHA1 | 99c2113bb5e4f2ea1e67c8cffd0559031168e30d |
| SHA256 | 4de7b107b7c204bbc427342e0429eb00fa979ee0953348c760dec84714821473 |
| SHA512 | 3eda76452090da5803e821d75773bb17ba488a90bc80d6d785ca21a4b1d0cad96709c5bd8839191865b73fd59757e76a1fae360f91fab7e7feb0e9ae056547bb |
memory/3160-14-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp
memory/3160-15-0x0000000000050000-0x000000000005A000-memory.dmp
memory/3160-16-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEX66pG09Fz.exe
| MD5 | 67530ca401a21e9021983dd91b37c971 |
| SHA1 | 059cc53f7d897b6e0b9072274cb964ab547489a9 |
| SHA256 | 3b8cd7237a32fdb861ebd4c8243729f969a0355e4554832f73d8ab0ee3871b9a |
| SHA512 | 0b8f93e0d38b8bf6fab4adb7c1ecd05da3c354acd94e9f02c48ef8f822be328d6e2c558806e732a840178ec2d0c32daf718f372a6040403353565196ce231b78 |
memory/4148-22-0x0000000004910000-0x0000000004956000-memory.dmp
memory/4148-23-0x00000000073B0000-0x0000000007954000-memory.dmp
memory/4148-24-0x0000000004D90000-0x0000000004DD4000-memory.dmp
memory/4148-38-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-88-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-86-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-84-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-82-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-80-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-78-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-76-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-74-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-72-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-70-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-68-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-66-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-64-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-62-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-60-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-58-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-54-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-52-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-50-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-48-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-46-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-44-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-42-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-40-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-36-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-34-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-32-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-30-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-26-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4148-931-0x0000000007960000-0x0000000007F78000-memory.dmp
memory/4148-932-0x0000000007F80000-0x000000000808A000-memory.dmp
memory/4148-933-0x0000000007300000-0x0000000007312000-memory.dmp
memory/4148-934-0x0000000007320000-0x000000000735C000-memory.dmp
memory/4148-935-0x0000000008190000-0x00000000081DC000-memory.dmp