Analysis Overview
SHA256
4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3
Threat Level: Known bad
The file 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
Redline family
RedLine payload
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:28
Reported
2024-11-09 20:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe
"C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe
| MD5 | 0b2cd96a8200c53cdb3444f20beab59c |
| SHA1 | 7cb02f5bdf1c09e092811ac4694e901bb615185c |
| SHA256 | 3fcbe17a70708e176220b4cea32d6d943b4a9d0ad0e377faac9aaa61b511e1b3 |
| SHA512 | 29b5a7a79487c382be028546ab2ee117131790376b9b17fc3d218387957ec1c127c07c90dfbab0093b8b0d052af6efa00107a692f2d2a21e827af77b59697559 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe
| MD5 | 5b8e2d4a66a2ce0212ed8aa69dcea885 |
| SHA1 | ff7e32af36ab17cb7975715149f3fd8015d7cb35 |
| SHA256 | 0a3a17c7a2810b6170217452f3620cd03dc73b057a7b84add77e4483134bfc95 |
| SHA512 | d8bc3c060563973adc3fb6100bef2f53cde2dca22a7097a910d32a237246a9f2c06d49d5ea0ebcef746c3596d20abd4a28cc47abe3e5e20f699fdb6dd049639c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe
| MD5 | 930edad88617c23a2131799e6a09fb1e |
| SHA1 | 9bf42e57bded7bd008f7eb00a440081791362948 |
| SHA256 | 4c38db1995815b5ac1d563c3f7d7f1008fb03fac172fda4e0199c60959f185e7 |
| SHA512 | e0316b63c8f64b9ed7c6f32648c514a0693551bbddafecaf315b19a51f2fe80c14e0c043b24fcefe4680b3c3c425c609ad389beddc9b8c12384d6500944ec869 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe
| MD5 | a680c007f6adb5517d70e62e24c71530 |
| SHA1 | da1155c9b7a9f3aa4f54f24572ca91ffe8a92323 |
| SHA256 | 3e55fd01e3a6b3a900a823224e17d65ac5d2ded159a9d3a1c83c0f0f796d4138 |
| SHA512 | 61a153d55962e44f11b0711a6400a6403594c479d2c13b85367c40e48dab903578104819258e02940c61f3ff982007e759d3938ca92a1e81eaf4a98bc54cbf98 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe
| MD5 | 98d9c461a70cb5acc16ae75961d0772b |
| SHA1 | f394f68605824023ad32202edbc52f48d53722b3 |
| SHA256 | 5648925fdaf06007f0bb809d4f1d75156f13931af1ec48f5bf7b61b3b39b1a22 |
| SHA512 | 0536e0526ead22e4165bc93efaecc714652fca896daf418df644b1dc242cf4e71122193c4ee3ac1860982dc841808c2a81fc948db29b8369761e9c4544e94be9 |
memory/1284-35-0x00000000009B0000-0x00000000009BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe
| MD5 | bc06501e2cbbcfd5b533d51c6a5ef3fb |
| SHA1 | 7caa42a1b56383b958098d71bdffbe0b69b1ba93 |
| SHA256 | 1ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16 |
| SHA512 | 98da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970 |
memory/2716-41-0x0000000004AB0000-0x0000000004AF6000-memory.dmp
memory/2716-42-0x0000000004C20000-0x00000000051C4000-memory.dmp
memory/2716-43-0x0000000004B70000-0x0000000004BB4000-memory.dmp
memory/2716-55-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-59-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-107-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-105-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-103-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-101-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-99-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-97-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-95-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-91-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-90-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-80-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-67-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-61-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-57-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-53-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-51-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-50-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-48-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-93-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-45-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-44-0x0000000004B70000-0x0000000004BAE000-memory.dmp
memory/2716-950-0x00000000051D0000-0x00000000057E8000-memory.dmp
memory/2716-951-0x0000000005860000-0x000000000596A000-memory.dmp
memory/2716-952-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/2716-953-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/2716-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp