Analysis Overview
SHA256
029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04
Threat Level: Known bad
The file 029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04 was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Healer family
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:30
Reported
2024-11-09 20:32
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe
"C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe
| MD5 | fde9bdb77698b33d989e1bdeb6ddf07e |
| SHA1 | a146e8afe30b3dbcb7d641a213244cdbc215c445 |
| SHA256 | 5729677e98a9388705457606b5133525f985ae0a08c09dbb685ce538f8eb17b9 |
| SHA512 | 8bf622ca499981bdce8aa832cec4b2bd7fed5b676911f1aade0cb5d7c1250ea4dd984c3945a5f556a408590945b5954d1e139db96f2aff8c8e626c782e8d022d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe
| MD5 | 1d1ef34713c6116eabbf4ff4b61562d7 |
| SHA1 | 132f8c84a5c1da6173786c7ac169d3eb11f2fc31 |
| SHA256 | f68c19401376fc590ace8959c71be433c90d9ed8f7192346fc766ff7c4a539fb |
| SHA512 | 50ec5949c575b159733ab217c00dc971ef4a11eb370ed44c2746c4e313da001a3d46c452f3873f3f6e7fe5140ef928e6b1214691e993881ef8c0444cb14c166f |
memory/5036-14-0x000000007445E000-0x000000007445F000-memory.dmp
memory/5036-15-0x00000000022A0000-0x00000000022BA000-memory.dmp
memory/5036-16-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/5036-17-0x0000000004AD0000-0x0000000005074000-memory.dmp
memory/5036-18-0x0000000004980000-0x0000000004998000-memory.dmp
memory/5036-24-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-44-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-42-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-40-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-38-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-36-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-34-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-32-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-30-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-28-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-27-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-46-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-22-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-47-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/5036-20-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-19-0x0000000004980000-0x0000000004992000-memory.dmp
memory/5036-48-0x000000007445E000-0x000000007445F000-memory.dmp
memory/5036-49-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/5036-51-0x0000000074450000-0x0000000074C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe
| MD5 | b84abbfcba7e0a2a3b8ccb57b2bc270e |
| SHA1 | 9381c88676cb7a6ac28953b68903183829982d9f |
| SHA256 | 38e8f83bcf43e6e2877f4af9670c33f03a8631c8d0e2989a1bd81a5df893e7cd |
| SHA512 | 1296269b70977069a62d282e901308071c9f0d9632e4966ad64c3cb77c62a14b0233100f1179fb9f1570f65713ba4d3ff45678f74ba1f8f2f6db3d9a6a005748 |
memory/4784-55-0x0000000000780000-0x00000000007AE000-memory.dmp
memory/4784-56-0x0000000002900000-0x0000000002906000-memory.dmp
memory/4784-57-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
memory/4784-58-0x000000000A6D0000-0x000000000A7DA000-memory.dmp
memory/4784-59-0x00000000051A0000-0x00000000051B2000-memory.dmp
memory/4784-60-0x000000000A5C0000-0x000000000A5FC000-memory.dmp
memory/4784-61-0x0000000000F20000-0x0000000000F6C000-memory.dmp