Analysis Overview
SHA256
3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab
Threat Level: Known bad
The file 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine payload
RedLine
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:30
Reported
2024-11-09 20:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe
"C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe
| MD5 | 846752d9776cf9797e42e0f24951f202 |
| SHA1 | 3d36f315a3cbcd3a3e83ed0495ba6abaf82b1a8b |
| SHA256 | 999e01b1e7997f754dc679e4290528b6fb761ea4b33e48045032c2fc767f957a |
| SHA512 | 9bdd1ecffffec360730bbd3a31c777d77f7e218569e5a906f8bf571fe29afab0f6c1b5e72fbae06386540d41617c2a5da3d52d0cd2dc2cd09e66a84c422de649 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe
| MD5 | 2f5aa6b05006f4355d685630dbaad0d0 |
| SHA1 | 03c08e1615b3737c2fb07429b153d363482b43fd |
| SHA256 | 5b0b782a07d4785eafbb61e2235664ee4aceed418bcb485f7993b3e827c3395e |
| SHA512 | 4949b26d1f5bb87ada568449ff4ce0addc90fa77acc799435d7c5bf6c1d8f5e8c4ce404cf68ac3685e391e5618f86e7113a9710dd82ccd61e3bbfb265ad97c0e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe
| MD5 | 411e492d8d3e18009daad37ea576e95f |
| SHA1 | 907096d8686ccaefde158a621320846c9b43176a |
| SHA256 | 7863a83b3508ef96c4007b40f61e2147caad3304e447e48ee895352ccc00dbea |
| SHA512 | 80190904e93865128511ab6ba9b6aa9da634596a9279fe382aaffa22ec5de5bc5d7f474258edddfb8d368e7dac2ed2cbfbd28936a6a9ecd88f858dc9d98c8516 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe
| MD5 | 46d6c2a9d674d2babeb0ec0d9006e507 |
| SHA1 | b7c0e4a85b14dfaf77d617d45492f56a86729a41 |
| SHA256 | 0c13b74ffda55b31fe7dc88e8ba38682e2d019eaf54bf6787092a1ffad00b4fa |
| SHA512 | bbad193ec6cc1ab80ca4fa68ce335e9cefc9e29fc85e16633451089f97f854b2ca95e4b825530de40e4b70582795a00504e97ac337cb7431333373eb4393aa70 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe
| MD5 | 290f8fba79c89a814e1d0189af17ad64 |
| SHA1 | a7db61b58650fe394c019eeb96912e847ead8948 |
| SHA256 | 08bdde22915a2b6cc2466570ba5495a70ac356f9344b739b8f005ed230f1e213 |
| SHA512 | a9adf32ab3f003530dc56ad518bc5d42025cf7d73af9ba3dcd0127204301fabe894ac94370295bfb1f617a3d8cb32b85150c2a69792618987dfadff23e99f9e5 |
memory/2916-35-0x0000000000CE0000-0x0000000000CEA000-memory.dmp
memory/2916-37-0x00007FFDFAAA0000-0x00007FFDFABA0000-memory.dmp
memory/2916-39-0x00007FFDFBD80000-0x00007FFDFBE1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe
| MD5 | 8240ae7f59fb434977686a2040ea62e9 |
| SHA1 | c0fe02012d46dc9e12c388dd75cab32643708a18 |
| SHA256 | 230a7452b0db2ecd65ee767d852990ff9cb94f65c485e3a68faa4bcb11b52605 |
| SHA512 | 78c782edce8e3cdb57624f3be1bc69976691e1a1938b46214bde842b9cc02966be80872c7ae4093d8154c62fe9de20e2cfdf532feae5dfe647ba0d748777c96b |
memory/3844-44-0x0000000007160000-0x00000000071A6000-memory.dmp
memory/3844-45-0x0000000007270000-0x0000000007814000-memory.dmp
memory/3844-46-0x00000000071E0000-0x0000000007224000-memory.dmp
memory/3844-48-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-47-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-98-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-108-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-106-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-104-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-102-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-100-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-96-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-94-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-92-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-90-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-88-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-84-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-82-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-80-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-78-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-76-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-74-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-72-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-70-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-68-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-66-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-64-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-62-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-60-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-58-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-56-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-54-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-52-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-86-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-50-0x00000000071E0000-0x000000000721E000-memory.dmp
memory/3844-953-0x0000000007820000-0x0000000007E38000-memory.dmp
memory/3844-954-0x0000000007E90000-0x0000000007F9A000-memory.dmp
memory/3844-955-0x0000000007FD0000-0x0000000007FE2000-memory.dmp
memory/3844-956-0x0000000007FF0000-0x000000000802C000-memory.dmp
memory/3844-957-0x0000000008140000-0x000000000818C000-memory.dmp