Analysis Overview
SHA256
d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886
Threat Level: Known bad
The file d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886 was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
RedLine payload
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:43
Reported
2024-11-10 01:46
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe
"C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe
| MD5 | c0053e31c324db2105ab52c26a206594 |
| SHA1 | 85d130ea355e8b7ef065853364406e10b2f5e043 |
| SHA256 | 80dfaf2707a30f38656cf44b5750258c4afe9b77bbc6978c32939fed950327e9 |
| SHA512 | a7e0751e9dc0c42a4da1749320327bcbe1db1308145b729f9c4b7bdb76b61d55e0f7d3adc1683b1a46cd9caadebd33187f68c358c5f58bc0dc5102f9101c8691 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe
| MD5 | ead81aab5c72c0008a63cd730fd8ba68 |
| SHA1 | 8f808674ff5718bfb625019d30c9c35293b6c8c3 |
| SHA256 | a6d3b1868954e1f77fd7724f33742f6391c7b2288410bb9d66de3be50393a07a |
| SHA512 | bd6df85059194f31e5d51ff2d3ad35d23f8cdf8f1b117d0c8cff4096c23289094d30a86bcc7f0e4e55cbcf02d37dd5e81e08f64fba3b597e9d9725a7467a60a8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe
| MD5 | 90fa26abbea9e64a4a6166fabd599f67 |
| SHA1 | 17385c349ff4f15e1b3cd9851e2e7b6ccf864a3e |
| SHA256 | 5cecae691a9581f2145d6e9316a16e31d35a80a0908c4677561366081f2f0928 |
| SHA512 | f35e21946f8c32458a7fe6bf74940887f547a30c06d6213a8589e48a33b532a96b97b7beeb4d0de7b18ce1d5a5c42682b6e95de518eacc96d3c5e64110b42d28 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe
| MD5 | 89085cf8b80e7f334fff4f34050ab249 |
| SHA1 | f19db77e77f2e3fb247ff6a15a6e04f71f95aa63 |
| SHA256 | ca202b199ce4628b4ea25c9390b44722eeba99f4b194afa29dd4b6202319f17d |
| SHA512 | 69406017ffc40eda7891d97980bd164ed6c8709b3e23cb534f13d4074b556b32e7fa9ee21022ad8f9122ee80fe0f19bf0d4a1960b16cb5a3b964df4c731f2aa4 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe
| MD5 | 1d11fb3a60485a4fc8e87ab6b11edf01 |
| SHA1 | 82fe9d8c490142692afc8273df8e15828ed9253f |
| SHA256 | 1556efc221b6b09ac945bf9f586ed4e256cd77b710689a5d7a7f3161ea19d2b5 |
| SHA512 | 80a17be977a596440da6809f1fdf05af08e03fb32dfc297577dda4ce69febc405edb488c860e7070e2207bb881f218a87db2b6254dcc87192c81ea11b168bac4 |
memory/3128-35-0x0000000000670000-0x000000000067A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe
| MD5 | 0699a3dd8a0bfbef309a3c474b22b56d |
| SHA1 | 8f8218184e8f28b14b8a3d5f828e28b9d8cd40a8 |
| SHA256 | 0fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178 |
| SHA512 | 6dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd |
memory/2028-41-0x0000000004D40000-0x0000000004D86000-memory.dmp
memory/2028-42-0x0000000007280000-0x0000000007824000-memory.dmp
memory/2028-43-0x0000000004DC0000-0x0000000004E04000-memory.dmp
memory/2028-55-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-57-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-107-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-105-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-103-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-101-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-99-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-97-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-950-0x0000000007830000-0x0000000007E48000-memory.dmp
memory/2028-953-0x0000000008100000-0x000000000813C000-memory.dmp
memory/2028-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/2028-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp
memory/2028-93-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-91-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-954-0x0000000008150000-0x000000000819C000-memory.dmp
memory/2028-90-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-87-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-85-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-83-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-81-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-79-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-78-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-75-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-73-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-71-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-69-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-67-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-65-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-63-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-61-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-59-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-53-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-51-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-50-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-95-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-47-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-45-0x0000000004DC0000-0x0000000004DFE000-memory.dmp
memory/2028-44-0x0000000004DC0000-0x0000000004DFE000-memory.dmp