Analysis Overview
SHA256
84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630
Threat Level: Known bad
The file 84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630 was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:46
Reported
2024-11-10 00:49
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe
"C:\Users\Admin\AppData\Local\Temp\84fdfde0af8e431ec192d975e95c933e8d8dbc55c8a70c66c7d1e44aaa900630.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNf03Vm82.exe
| MD5 | d3e6d11be461cb5f0379562613f3ca87 |
| SHA1 | 6ce2bd8d342937e3cbc0ec0ff139f8015a284c6d |
| SHA256 | 874e8e0be5c32f14a3ac1da1eede3ea68ece6d5451e3e4f33cf112e9424523b5 |
| SHA512 | e330d770b44f3e1e5031d7cd3a507945ecffd430cba03d49f9bc907b56ef509bf34c00333d4c878a5081013a82804aa056f7e7c553ba546d3168c91930e40de8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ploK07QX66.exe
| MD5 | 01c2223e2f71b7e78c763dfdd08333e3 |
| SHA1 | 04e12262f259bf888528eec0bee88ff4c7944baa |
| SHA256 | a5838ff062b3b63e3c4bb3ae1de2b5fb7ab24856e9f87d67ae6010aa7b39f5bc |
| SHA512 | 780e6bfaf31ac6f59789acc4e1deb0f61033e467cf69017be115cdf10d1b2157e5335df18ea4e68f5f0afd6347ce400ed112ca0ead64b4fc362bd74e3474bd34 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plcc44aj84.exe
| MD5 | 4794c70def557695b305734b17e13d0d |
| SHA1 | 5f42a441eaf307e462d40769fb8e056c9b1e8419 |
| SHA256 | eb40c22aa43022c558a737f7764268b39cd02645200127a1e8dbd8a54870ab1b |
| SHA512 | 704e01d27d25b435d129b240ad8cb6f90e0c7f13eeeaed638ece3bfc26c279ffb6fd4b1aae1292bc916796961689880e656aa26696184f71917234a2deb41202 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpL47Ev64.exe
| MD5 | 184fed720967656e793057022454f09b |
| SHA1 | 68fe8facff2ed509b315d51af768f4dfd9aad7af |
| SHA256 | 67288dacf00252668e9be5e2feed555edb9f3092482243b3a5e8d7daf9d6f4ff |
| SHA512 | 95f47d6256744f27901f2aa56c8dde43c8a5f5b6ec41face7fc3c7c3689ab1fa14375bef225c031444276552c552116fdc8bc67dffa1db027c14b7dcb94eca75 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buFq44VP59.exe
| MD5 | b56255d57ccfa39a05f39a20ee60cc0a |
| SHA1 | af80c1eecfabcdd48fece68cec63d3e15fb20b80 |
| SHA256 | 288ed88964e563607ae87c0e8f825e2cf64f1b3378cf2cba47c2d72d9a484055 |
| SHA512 | b861b16a21c5abb6d6afd1949a80f0c2179eed779fb768fa3ba6868b0f50da0c4f75c3515662cba0e591c503d5ca2c68ae8c1f40e7570aebe9e280288d88060f |
memory/2444-35-0x0000000000DB0000-0x0000000000DBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caRu16Yi25.exe
| MD5 | e11ed6fc64ebc2ac86e3a4e39aa0b6b6 |
| SHA1 | ad61736c537f06c5eda7ae7064b55a37b514eea1 |
| SHA256 | 8b09887654b84d73fdaf0d421b2d5910529cbfcd5a4848a23111c2612d3a1695 |
| SHA512 | 43e07b129d1b0269027fca92c05cd28fcecd5c9469df0b414ad24ba1b3270f6e55c2e5b67bc4734ec43d72e0609d58c068c23560716db14cd468031cb7b6b880 |
memory/4344-41-0x0000000002550000-0x0000000002596000-memory.dmp
memory/4344-42-0x0000000004E20000-0x00000000053C4000-memory.dmp
memory/4344-43-0x0000000002640000-0x0000000002684000-memory.dmp
memory/4344-45-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-53-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-105-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-103-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-101-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-99-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-97-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-95-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-93-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-91-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-89-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-87-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-85-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-83-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-81-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-79-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-75-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-73-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-71-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-69-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-65-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-63-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-59-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-57-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-55-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-51-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-49-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-47-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-107-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-77-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-67-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-61-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-44-0x0000000002640000-0x000000000267E000-memory.dmp
memory/4344-950-0x00000000053D0000-0x00000000059E8000-memory.dmp
memory/4344-951-0x00000000059F0000-0x0000000005AFA000-memory.dmp
memory/4344-952-0x0000000004DF0000-0x0000000004E02000-memory.dmp
memory/4344-953-0x0000000005B00000-0x0000000005B3C000-memory.dmp
memory/4344-954-0x0000000005C50000-0x0000000005C9C000-memory.dmp