Analysis Overview
SHA256
57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b
Threat Level: Known bad
The file 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Modifies Windows Defender Real-time Protection settings
RedLine payload
Detects Healer an antivirus disabler dropper
Redline family
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:45
Reported
2024-11-10 01:47
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe
"C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe
| MD5 | 0cc645bfebbee83ae73f2ac67a44e234 |
| SHA1 | 4458ddc13d90bc8399e5cc547e14a2845a9dcaf5 |
| SHA256 | 7420260bf221aa05d429e7f4bd9ce6b0b4070baa410944869dbb17d3b6f8e10f |
| SHA512 | d8b32d5550f147b703dc86600de7c2bc6cec826d37a7dce71770dcc03b38622988710eb613fc08fd246d2d81517c239d9c1d78b09a091f8782d187fa9251e557 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe
| MD5 | 3eb3cccf02026e0dd174dac928d3a81d |
| SHA1 | 7a7048c147a524452ea36c86286b77e3564cfd32 |
| SHA256 | 454ede7721a8519b453335674e0f18bbcd9b7c2202cc0391d8880aca37af3752 |
| SHA512 | 9a016e66b13bfe5d13d177b26b49dfa1ca6322551b9aa78c5d7da442b3c55911dace26237226ab4e9704062471066491306dfeb8d0ed20d4b01bf36e2c554a6c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe
| MD5 | 8312e11efc3b3e96080fd917e04a70a7 |
| SHA1 | 0e7d59876755c8891cbf706748d0abde231b97fa |
| SHA256 | 1c9b912ec71b43c46f45cd154e27b8cb3edd93f44a49a1b9f02d594bad6d2da2 |
| SHA512 | ae62ced526d11d0c6f2c93962834a7ddd92a9b8b2b045bee17213515a7edc614880940943b66854ae0ed989ba3ab03ea33543bdea00bdc4d62c57203797ad4e8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe
| MD5 | 4759c87cb8aae3b368ce489ed3888406 |
| SHA1 | 428b9a715af61d129a9a86145884f344a557f1aa |
| SHA256 | 48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62 |
| SHA512 | e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04 |
memory/3896-28-0x0000000000F00000-0x0000000000F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe
| MD5 | 43808d4cb75be409d7906b2dd00a55cb |
| SHA1 | 7c05ec44a25709bbf577a9a2b64305148267a461 |
| SHA256 | 6376d0c48599313b92671dd50ea2d30842c10ac8e3a7943d4f4e6d017fb5a4c7 |
| SHA512 | 44f4232365eb392b55cd0bbdcdd1f4dc4c9f5f2a9b2f698258b26a5f25dfdbaf422498c0f21a8dc7a2fb2a81611e8c9b192c2c2db2486f8240f28809ae3f9609 |
memory/4132-34-0x00000000024C0000-0x0000000002506000-memory.dmp
memory/4132-35-0x0000000004D50000-0x00000000052F4000-memory.dmp
memory/4132-36-0x0000000004CB0000-0x0000000004CF4000-memory.dmp
memory/4132-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-100-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-96-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-40-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-92-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-37-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4132-944-0x00000000059B0000-0x0000000005ABA000-memory.dmp
memory/4132-943-0x0000000005310000-0x0000000005928000-memory.dmp
memory/4132-945-0x0000000005AF0000-0x0000000005B02000-memory.dmp
memory/4132-946-0x0000000005B10000-0x0000000005B4C000-memory.dmp
memory/4132-947-0x0000000005C60000-0x0000000005CAC000-memory.dmp