Analysis Overview
SHA256
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250
Threat Level: Known bad
The file 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Redline family
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:38
Reported
2024-11-10 00:40
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe
"C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe
| MD5 | e0c35602be7da19803cb89c11e4c6e39 |
| SHA1 | aa7566ee524b765bb787a396a949ffcbbadf5b23 |
| SHA256 | 98b512fca8b1ad10b9d8fa9e1b2499048a7e9130052b9be6574ad5e60219b7df |
| SHA512 | 5d2c4b28631670482bbabd627b71569d42efc5bd70c2ee32e75e39b9e8795718b570face65ae36a3dc78b2624a6b257eb8ec0203cafefd454fcbc31ed5d55415 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe
| MD5 | 91a3839a7ac86cc0104916d1e9f6fc24 |
| SHA1 | 25f621d58d798d4487b847b8e64b91e5235a36a2 |
| SHA256 | 7271dc29643f1752c641ab335d895ac3c33b478c1cbc330bd101a70d35eb3258 |
| SHA512 | 106d13a1e7378474a9dbd842f09f193adc90f53f3a42c272d760d624f612d98fbcdbb96420ed2b57412c03b99ac0ca630bf295d54b0066484b1672972dc9ae10 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe
| MD5 | 44aee835bf016de29e3dc03dfbb3ed2c |
| SHA1 | 7e6b255d0991ead4926726771fbff85abcb31229 |
| SHA256 | fb1811659550bb0ccc6d8cbf027b6bd3bc17db5503cee776ae6c9d1b3436851b |
| SHA512 | ac7ea9d8d531402ba7914e6d18a4cc96013d93aef3d347af0b47ce3d6c6a2990e3fa1ff11af609fadc743b073dac767e0f57ef701f3385f7bdbe5b716a29c446 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe
| MD5 | 1dc7c8e54178cd0538ba61b01087affe |
| SHA1 | 10376dcd765f0450fc488de4e14cfd36ec6406af |
| SHA256 | 6943ab5b1d4a95bf1de8d82907b49e7a8da793e24765273b6eaf693a62519cf1 |
| SHA512 | 2f6e85e1b08d25ef45c62d426ea43b84125324c107204de2f7ac4d1696b83f3f4fcc14c0a041eee58b921b13d06472a0544f3d8947a2fe866c2ed880128970f0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe
| MD5 | cdabe16419916af7392f3c86e413e9eb |
| SHA1 | e70006f38cee3304a5fdb83b4ac23e5b99a1dd79 |
| SHA256 | 0a3f2e1c58f4948d8d41c202cfd80757f988cef7a2cfe2a88bcc7f0e5ea4d352 |
| SHA512 | 50d50c1454227de4fdc7b527b62ed5d378fbeccfbdcb1a7d929495ecb0dc87479dd51fcaf6a53c40fc218c3dc8a0d4a543da1a1ea30dcf511ee4c11e161000cb |
memory/2028-35-0x0000000000100000-0x000000000010A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe
| MD5 | 47b1a20db297f70b1d9db60ea51d14d9 |
| SHA1 | b55664710122138d23e0e295dcade2b9aea41120 |
| SHA256 | 80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287 |
| SHA512 | e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288 |
memory/468-41-0x0000000004C00000-0x0000000004C46000-memory.dmp
memory/468-42-0x00000000072E0000-0x0000000007884000-memory.dmp
memory/468-43-0x0000000007200000-0x0000000007244000-memory.dmp
memory/468-53-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-59-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-105-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-103-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-101-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-99-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-97-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-95-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-93-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-91-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-87-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-85-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-83-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-81-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-79-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-77-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-75-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-71-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-69-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-67-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-65-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-63-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-61-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-57-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-55-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-51-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-49-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-107-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-89-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-73-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-47-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-45-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-44-0x0000000007200000-0x000000000723E000-memory.dmp
memory/468-950-0x0000000007890000-0x0000000007EA8000-memory.dmp
memory/468-951-0x0000000007EB0000-0x0000000007FBA000-memory.dmp
memory/468-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/468-953-0x0000000008000000-0x000000000803C000-memory.dmp
memory/468-954-0x0000000008150000-0x000000000819C000-memory.dmp