Analysis Overview
SHA256
4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6
Threat Level: Known bad
The file 4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
Healer
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:49
Reported
2024-11-10 00:52
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe
"C:\Users\Admin\AppData\Local\Temp\4e1d0610a9dd95c87734fc2bd38a04b49118fe5c5ca6f0e5d18eb3730127d9c6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plhQ87cM27.exe
| MD5 | 17f19aaf947d2edd2b09265af50dfed0 |
| SHA1 | abe1f3f8ae72e57c6d33cd5f5235a82def6cd341 |
| SHA256 | 8d77382f1e881df5618db6e5c93932fc4e54f51fa865e4b622f0c9b316eb7c16 |
| SHA512 | 8adfbb4778c3ac6cd41a8d8efa63def87dcdba66820dacc3b6a827139ebcc12d57a16e2e6e0fc137e0bc4f111cffe5f9c7dca16848fb07002025d2424ac1f990 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwQ02DP63.exe
| MD5 | b05adc378d54514af5a755d70b0d05bc |
| SHA1 | 64cf3fa442fe850da91cf2a34d30ca875970f2f1 |
| SHA256 | 3067461989bd17ec2cd96861b0570faa4edd5a06fdc4fa496b5a1b53cafbdda7 |
| SHA512 | 88b58448a73901d00e732bf4b699db9ff93309d978a4d8d55c6847d36cefe2815b10be9ffc56650621af0ebdb50303d757e55bfb7a39984656ad95398944009f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plUL15Hs92.exe
| MD5 | 4135897fed3629cd1aac4e4d8eb824d9 |
| SHA1 | 2d73bd0d928d910c0e7d26be2a890fb8b8125d3a |
| SHA256 | f79b399fe3cdc1b0a68f20d37f76708f6a988a94eae5198008aa642b471804ee |
| SHA512 | 0c1a454a70328eccbc7412d5fa9750008e8856187a071c6eb1ed606601858b89c5e046c31c9874c188b3bff29f0d6ff2e47162f2ab8c1c909959d211bc684b68 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plfY52vo92.exe
| MD5 | 09c38477322a254cf981f68f93508af3 |
| SHA1 | 44f49d2f933bfba8b15c21c15489f4e915592d0a |
| SHA256 | 82967d26380507a7e59180a6d82fb1c967bed8b0608e2d5203ef8b9d016de704 |
| SHA512 | 7ccd33243ae8ccfc3e1273d5aac45de296fd3fe2e2513a454ca04771fd9247263c77f56fd422396ecce7e02bf0a6c0ed83ae5998f926f755a454d542efe40b37 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bumh98qZ52.exe
| MD5 | f628231a8dcbdf0a2881b9223b427751 |
| SHA1 | b34e2772add22fd6a3df2ebed11ad0c4c4c05022 |
| SHA256 | 50f79e1b3b49ecb78c49cd85fd6ab6166b65191916b63f3970a922b1e59349a0 |
| SHA512 | f8a66e1691ca831c25e73d067398b356fb6ced422383b7f8815bdeeffd730bf01b576ea7ede19b6551e5b9bccf3a6d6fe9251065d5103fafb6bb90257118537b |
memory/2572-35-0x0000000000C70000-0x0000000000C7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caco88BT94.exe
| MD5 | 47b1a20db297f70b1d9db60ea51d14d9 |
| SHA1 | b55664710122138d23e0e295dcade2b9aea41120 |
| SHA256 | 80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287 |
| SHA512 | e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288 |
memory/1628-41-0x0000000004B00000-0x0000000004B46000-memory.dmp
memory/1628-42-0x0000000007280000-0x0000000007824000-memory.dmp
memory/1628-43-0x00000000071F0000-0x0000000007234000-memory.dmp
memory/1628-47-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-65-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-63-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-61-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-59-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-57-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-55-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-53-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-51-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-49-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-93-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-67-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-45-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-44-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-107-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-105-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-103-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-101-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-99-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-97-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-95-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-91-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-89-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-87-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-86-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-83-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-81-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-80-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-77-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-75-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-73-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-71-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-69-0x00000000071F0000-0x000000000722E000-memory.dmp
memory/1628-950-0x0000000007940000-0x0000000007F58000-memory.dmp
memory/1628-951-0x0000000007FE0000-0x00000000080EA000-memory.dmp
memory/1628-952-0x0000000008120000-0x0000000008132000-memory.dmp
memory/1628-953-0x0000000008140000-0x000000000817C000-memory.dmp
memory/1628-954-0x0000000008290000-0x00000000082DC000-memory.dmp