Analysis Overview
SHA256
984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca
Threat Level: Known bad
The file 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca was found to be: Known bad.
Malicious Activity Summary
Healer
Redline family
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Healer family
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:40
Reported
2024-11-10 00:43
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe
"C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe
| MD5 | 774ec1b85e2464f6dd976f5b6d45b951 |
| SHA1 | 6e4b495016df3bcc506f381aaff6f9c0db0349dc |
| SHA256 | 4f63b81561c55d2c60e6f1f817c98ac047c030f2601ea0680e09a58afd4d303c |
| SHA512 | d5694da3dbc49085ff15f484ef2cf972f78023737d3f13602accd38d2d4cf96086056e66fe7abed5ae47719fa20da59bc68ac517640a8e91e9c2c46ce6aa1651 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe
| MD5 | 1670fe2dbe107a0ba3686654fae3a45e |
| SHA1 | 116d8089e6f90247c212873f19e5aad458796628 |
| SHA256 | 033ee569e3c02d815de203af44e906d6689e4450c0c6884544be6da7945aa778 |
| SHA512 | 4d11865d0365c84236e88f36ff12abd0b1229b82b3d897b67fd20ace3497d3c4a1cf9bc16230a00027f2a2863e44ca9cb8f6744997dd920f19012baaa7613b9f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe
| MD5 | b3276b3addc278a3dd6ab5202a90ecf9 |
| SHA1 | e0accbc721bd261e1dd5f7ac9f33452312db9538 |
| SHA256 | 10ae59c17e79537fa44eb36f1bd02a577e020019e5bb4c9446189c8b08457534 |
| SHA512 | e07c1b25f2e940600ee4c121bfca2e45f26db4000acaf42cb45ddba5b5f8a9a59c43faccf55d9d96f2015f3e65ee8f1403be859b86709042f18c0342dce60eb3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe
| MD5 | 1adfa2e21a1b14455f10c6bdb3b5b7c8 |
| SHA1 | a64cd7a61ce216e6124d5e8515068db67041da93 |
| SHA256 | 67c3953eb171e68d650a29107070cf67108f67fa540ac2a2a35796d074994404 |
| SHA512 | eb9662c30bad9d5481558660e5f1078e7851ee674744496164c97019129aeeea7ed040ab59f3b32f3ca7e5d69b2fff47f695b5b2b2326fcbef069385bd012ca2 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe
| MD5 | 7a509dfc2f1613b8abb6a38067f5e702 |
| SHA1 | 66a278d414da14ee48086943733e5f2090cdc50a |
| SHA256 | 079a657f4163edff371bfd164a82e0e02d2aae7efabd0967ea1437c4c608686c |
| SHA512 | 3d6a9438787e7e135def1877efe883b1e7542559b166925e30c8b8088a737d496ddc2cf68b96a8dc88988bc3a2d08f7b8a97c8227efc558418195a4594b8afb3 |
memory/3212-35-0x0000000000760000-0x000000000076A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe
| MD5 | 47edc698fb60063cef4e63ee2d5d05bc |
| SHA1 | 8f7bc644d7a378df490ab77d7b3b9b2a25a870fa |
| SHA256 | 2561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f |
| SHA512 | b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715 |
memory/4672-41-0x0000000004AA0000-0x0000000004AE6000-memory.dmp
memory/4672-42-0x0000000004BC0000-0x0000000005164000-memory.dmp
memory/4672-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp
memory/4672-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-103-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-950-0x00000000051C0000-0x00000000057D8000-memory.dmp
memory/4672-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-951-0x0000000005860000-0x000000000596A000-memory.dmp
memory/4672-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp
memory/4672-952-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/4672-953-0x0000000005AC0000-0x0000000005AFC000-memory.dmp
memory/4672-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp