Analysis Overview
SHA256
2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e
Threat Level: Known bad
The file 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 06:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 06:06
Reported
2024-11-09 06:09
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe
"C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.31:4125 | tcp | |
| RU | 193.233.20.31:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.31:4125 | tcp | |
| RU | 193.233.20.31:4125 | tcp | |
| RU | 193.233.20.31:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe
| MD5 | 570dd305660eca093e1784a864ea1ad5 |
| SHA1 | 0aeaed648472b42cb436bc7d8142e03fbe591cb6 |
| SHA256 | f4c291cb1ec7df991fbb2b9adac537e7956d262d92d50c3829cfa824058b661b |
| SHA512 | 9f4ed7174d17da17f887357432689b780daf8525db5097cb3fc63a82ec88f97fb9c2efdbcba1ce6479cb04071e375e1ff2c86282f535711010f0ac73b1d6b0c3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe
| MD5 | 80d2bacba68ec9dd5841bb3c8d356055 |
| SHA1 | 610e66e03d42ece00e942770566b7464d766571e |
| SHA256 | ed53879b7b89ea9927d775f1f6a0e544c3040fe9248d5786b98b1b3cc0ea30e9 |
| SHA512 | 5bfe93c81194ce76599adfca3bb9c5fb150504c31adc43d5a1688f531a350c17d74cf73ac89a2f66aede23836c1114dcef3a7b8edd7f433a96651717dd46e261 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe
| MD5 | ee72c631338fad60efd2ed9de67e96f8 |
| SHA1 | 1993d8d86b5af095ff7f052f38a5228a1a5695ce |
| SHA256 | d5b776ca6f2991e94f80eae424fb4710ee0431182cd4210c2b80b8206ebda1ab |
| SHA512 | 0828282df18fd826116a1913993fadee30402e787e6f082ca63ee99c1e671f322ec90162683c7cdb17a3859e278c5bf70fd48dcac6a5778fe6de82862da165f5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3688-28-0x0000000000A10000-0x0000000000A1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe
| MD5 | 3e1e1d0dc6be7d3ad3c50e164e79aa5a |
| SHA1 | 1875e9b16f548098ae0ca1a892a6c3962197e784 |
| SHA256 | d60f628516102a2a7e57b722c18752f1f8c70ff059d4ba86fe86db3dbaf1a64e |
| SHA512 | 34b9318db017de4142f0b6a6b4116707a9a2593eb5a7db9d38e1b75bff86f084657d0cfdeeeb7be7c406db972e426192b7d953e43487bd4a4bf223cbbce45c0b |
memory/232-34-0x0000000002480000-0x000000000249A000-memory.dmp
memory/232-35-0x0000000004B00000-0x00000000050A4000-memory.dmp
memory/232-36-0x0000000004A80000-0x0000000004A98000-memory.dmp
memory/232-37-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-48-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-64-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-62-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-60-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-58-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-54-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-53-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-50-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-46-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-44-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-42-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-40-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-38-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-56-0x0000000004A80000-0x0000000004A92000-memory.dmp
memory/232-65-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/232-67-0x0000000000400000-0x00000000004E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe
| MD5 | a36d8541e6bf00b56e6c2b9990833bcf |
| SHA1 | 9f1fc299eb443ceb8801dda3b939ddc2275cb43a |
| SHA256 | cb3d2b46de974c63aae6bd4537bc5f95cadaca52ca08ad8274c1add817f81daa |
| SHA512 | 823fef42ff2594781524a1d584f9ced7349a64927242253ad3f16f81a8e68d3ebaf6939d1584584107cea3a017c21e8fbbe9cefd53fdf3711225a77c4f347c39 |
memory/3296-72-0x0000000002300000-0x0000000002346000-memory.dmp
memory/3296-73-0x00000000050E0000-0x0000000005124000-memory.dmp
memory/3296-79-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-87-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-107-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-105-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-101-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-99-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-97-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-96-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-93-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-91-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-90-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-85-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-83-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-81-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-103-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-77-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-75-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-74-0x00000000050E0000-0x000000000511E000-memory.dmp
memory/3296-980-0x0000000005130000-0x0000000005748000-memory.dmp
memory/3296-981-0x00000000057D0000-0x00000000058DA000-memory.dmp
memory/3296-982-0x0000000005910000-0x0000000005922000-memory.dmp
memory/3296-983-0x0000000005A30000-0x0000000005A6C000-memory.dmp
memory/3296-984-0x0000000005A80000-0x0000000005ACC000-memory.dmp