Analysis Overview
SHA256
edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe
Threat Level: Known bad
The file edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
RedLine
Redline family
Healer family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:38
Reported
2024-11-10 00:41
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe
"C:\Users\Admin\AppData\Local\Temp\edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| CY | 217.196.96.101:4132 | tcp | |
| CY | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe
| MD5 | 50cb385da0c18228d0c437fab967becf |
| SHA1 | efae796b3bec758ecc5f8b36b7c03bd87e559795 |
| SHA256 | 587f1589df6ea6534147bb137d104c99916e4aafd15c1554267caea0c13de883 |
| SHA512 | 04f2d7110d4e3e58454b011fc15f2b971c9b579bfb45470985559624b92b494ebcbb1d4edba90f3cc097819179f0eff778f150df08dc87eea9d038a731178487 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe
| MD5 | 1eefdeedee9de5a3ffedcd7560a3ce99 |
| SHA1 | 95dd831c5b68be97e7cf238d4f4a8f39c6a308ce |
| SHA256 | cfcc2ae431e01771e1d059539bc9f728c83f4ff690cbaf370eca8b2f33de9bfc |
| SHA512 | 842a915fc062d70d633ddba7c7ac979219325b36591e5ebb9c40085fe84a6174534a17681227ccae5204aad0f09979cd2b587c803540c6865c046c3f1b0648c1 |
memory/2456-14-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/2456-15-0x0000000002090000-0x00000000020AA000-memory.dmp
memory/2456-16-0x0000000004B90000-0x0000000005134000-memory.dmp
memory/2456-18-0x0000000002420000-0x0000000002438000-memory.dmp
memory/2456-17-0x00000000744F0000-0x0000000074CA0000-memory.dmp
memory/2456-20-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-46-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-45-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-47-0x00000000744F0000-0x0000000074CA0000-memory.dmp
memory/2456-48-0x00000000744F0000-0x0000000074CA0000-memory.dmp
memory/2456-42-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-40-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-38-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-36-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-34-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-32-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-30-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-28-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-26-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-24-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-22-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-19-0x0000000002420000-0x0000000002432000-memory.dmp
memory/2456-49-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/2456-50-0x00000000744F0000-0x0000000074CA0000-memory.dmp
memory/2456-52-0x00000000744F0000-0x0000000074CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exe
| MD5 | a7fa568c08bd0c204c9a5f320b5d77cb |
| SHA1 | de5d04b3eb09756f4f9da45a4e019cc819661a6a |
| SHA256 | eef7b28de4261dc2ba85c8f516969603df7d494c42ccc8e870e9742b43fcba4a |
| SHA512 | be86d5ca256c931ab771794fa5a67739ba18a0745266e00e4e72cef381e6bc6f98965d712dacdbf10a590bb4ec16343a4f131214e47a14b4b4a1e117783fab65 |
memory/1340-56-0x0000000000A00000-0x0000000000A30000-memory.dmp
memory/1340-57-0x0000000001180000-0x0000000001186000-memory.dmp
memory/1340-58-0x0000000005AB0000-0x00000000060C8000-memory.dmp
memory/1340-59-0x00000000055A0000-0x00000000056AA000-memory.dmp
memory/1340-60-0x00000000054C0000-0x00000000054D2000-memory.dmp
memory/1340-61-0x0000000005520000-0x000000000555C000-memory.dmp
memory/1340-62-0x00000000056B0000-0x00000000056FC000-memory.dmp