Analysis Overview
SHA256
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845
Threat Level: Known bad
The file 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Redline family
Healer
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:38
Reported
2024-11-10 01:41
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe
"C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| RU | 193.233.20.33:4125 | tcp | |
| RU | 193.233.20.33:4125 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.33:4125 | tcp | |
| RU | 193.233.20.33:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe
| MD5 | efb3f7dc161a980e456767d77368a79e |
| SHA1 | 9cb493384739fa7374b59b90a07f3a0e035e102a |
| SHA256 | a285e62fef72b6de5eecc96dc727000f5e8d8f9be475e79bf3d3e5ecee2615bc |
| SHA512 | d0da782caa79bd816068bd69aa36163871fd017537c4fcb7ce0ce4bc9420ba400e9c4bf3baa6b570be8c1a735c69076063a2dcf64d1ab990fa53c9eb02f59633 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe
| MD5 | c731cc53eea4acd32d993915f3ff28cc |
| SHA1 | 7fe81dcfcefc02afc7d96e324d54b4a250abf457 |
| SHA256 | 1f150415d7dcf2c4937fa6fab682f5748ca2640598df038c8da66e44462d2a3e |
| SHA512 | 1bf8ce97b75aa81176b6edb270d1714e75662d899a3128fae4e22ce8d58003180a1d79903ff7c2364ee465cb4c0eb42c70ac3ff3885198895e6a5ed7b155d43b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe
| MD5 | 327dc9193b963c200221a720d1bffc1e |
| SHA1 | 753cb3f124a24d4e3692c1d3937d000f1fe1a6fa |
| SHA256 | 2f8d7eb778622fb4eaac2939258a3d66b727b06f0a844924fa34301525a88883 |
| SHA512 | 54495b7e3c432e7c7db244b14e8ba9f703bcd9d2a0c5ba6b8c6e537dc14483d5c9338132b4dbbcae791ec1757cc4419750abbbde2d4a41833164010bf84943f6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe
| MD5 | 27754cfee83f58407b0f9370231925df |
| SHA1 | 39fef764c432230ae410b34499c87a35183bd13d |
| SHA256 | a04d5f834d98e1fc85d778bee473c067c2d832b9958a183f429a331580582838 |
| SHA512 | fd8a4c5f0a9343bc0e296f230a47d83f3d7758c253fef271fd15021ca66cd05d02dd6ac286aecc8d3a470ab02c81464b451db35b96b0553072a307b992a04a39 |
memory/4448-28-0x00000000005C0000-0x00000000005CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe
| MD5 | d8145143160f8b068d6fcf7e69d56b1a |
| SHA1 | 253ce4c0fc9f01cbb91e27308c1e8bebe57987b3 |
| SHA256 | a7bccee8157d7739190295bf131dbe2c9bf87e6bc2e47fb43626b1ad62a7c043 |
| SHA512 | 207b8bd47f90b48a8e5ddc218952866dc5fba4d422fd43b619a2e3c0d24ed3a9dc1fe25d039d24e5bef3a62d87760a6b13d8efc3a97ac4b6d9d5564d4351700c |
memory/1356-34-0x0000000004840000-0x000000000485A000-memory.dmp
memory/1356-35-0x0000000007210000-0x00000000077B4000-memory.dmp
memory/1356-36-0x0000000007810000-0x0000000007828000-memory.dmp
memory/1356-37-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-64-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-62-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-60-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-58-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-56-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-54-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-52-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-50-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-48-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-47-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-44-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-42-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-40-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-38-0x0000000007810000-0x0000000007822000-memory.dmp
memory/1356-65-0x0000000000400000-0x0000000002B7E000-memory.dmp
memory/1356-67-0x0000000000400000-0x0000000002B7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe
| MD5 | 0ba5cbdd0ae133b438180d8f299db198 |
| SHA1 | fceb77aa6bc73a7f895cea66d49bdf07f32f5aa8 |
| SHA256 | 612f5412574413a534d354b6509913c7f37c7a0be0b70b018421b7d4818e189a |
| SHA512 | 55632d62bb53d771d8d97e3f91679aba35fe1f7f4d38556de17ac38c80b44065fa6f7a008ad813b1509e6f8d9095a0e7a1c45d80cfa80335c6c7f0c30790b03c |
memory/1660-72-0x0000000004C40000-0x0000000004C86000-memory.dmp
memory/1660-73-0x0000000007750000-0x0000000007794000-memory.dmp
memory/1660-83-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-89-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-107-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-105-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-101-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-99-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-97-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-95-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-93-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-91-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-87-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-85-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-81-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-79-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-103-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-77-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-75-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-74-0x0000000007750000-0x000000000778E000-memory.dmp
memory/1660-980-0x00000000077C0000-0x0000000007DD8000-memory.dmp
memory/1660-981-0x0000000007E60000-0x0000000007F6A000-memory.dmp
memory/1660-982-0x0000000007FA0000-0x0000000007FB2000-memory.dmp
memory/1660-983-0x0000000007FC0000-0x0000000007FFC000-memory.dmp
memory/1660-984-0x0000000008110000-0x000000000815C000-memory.dmp