Analysis Overview
SHA256
9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c
Threat Level: Known bad
The file 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine
RedLine payload
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:36
Reported
2024-11-10 01:38
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe
"C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe
| MD5 | da3ea7e226940fee5fc7178bb492d9ce |
| SHA1 | bdcc29815955aa75078117af70fe36bc5b55d3b6 |
| SHA256 | 206d34102b5b967c2a7849aa8a15366b9ff75d71461e8aa345ee1719e3aa1bd0 |
| SHA512 | 2ce624302868ba2a47153ab300a690b40f04c180f18f158c0766ffd3463179e94c5af6d18f296c21051cc6f49fce350e20bf14cc10c5dc549160c91fe8ee3355 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe
| MD5 | 84bd9e160f5016a9b104a0f8034a37d5 |
| SHA1 | 727c79bf87d56065b1921753951eef050536ae17 |
| SHA256 | 63f2f5ec4968f5f7ed0c81dbab413304619dbe579e7bcf4be8ce58341f4654cf |
| SHA512 | 4cb0b837dee1a3647bea72f9cad52b8412cf84d6239a33daa737e88a0d24949949682f83f7093d1106e0a48eed46aa4f1d304d191cd163cbb3b19d95b97cdefc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe
| MD5 | 12b2f87d938dec3998886646b2cb07c9 |
| SHA1 | 59ebda704fdcf6cc57599fd40bf8677748a87d5c |
| SHA256 | 2b857239536a2a13240f9f9b677810208080db204aa13642cc9334a2b4049920 |
| SHA512 | 64d8374af979ea249dd00e7ebb23b4ef281466360df97984e50afd432b9a71e9915391ace619dd6167e2953db693dba921319cf223ebdc2f0456e94b7a5ec154 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe
| MD5 | 14fa9adf5dbe2ffb322f454764fbb83d |
| SHA1 | 90493b4527a3bed3b3b9d60fb36ee94cb54cdfbc |
| SHA256 | 1f04765ff4dbcced5b11791811c7aec4748fed97ebb4c072264284cce14cf82d |
| SHA512 | 76b1cfe51335cb1a9d5adb5b1b26d0ad953d890e6a488ed946b4f694a242b3f8e193942a4d9fd0c09135b90e9e1b6a63d3d950c6f23a21d6423befee915f3b59 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe
| MD5 | afae7443f98357568ac8c737e126de85 |
| SHA1 | 47589a3dbf97c4e156b924cc23073c6eeb35b4d8 |
| SHA256 | a1f11bec33d19ceb9bc84ec09cb169f7da9234ec13b6c944f697139bc03869f4 |
| SHA512 | ee5437c4f8ad201ded0ffdc9745ad903beb34fb3daebdf16bc35b1bd7f4a4724a2ef8d21c2dfc4a52dad22bf9442486c1e98e95ae4a69eaed53977fd06393b9f |
memory/3788-35-0x0000000000230000-0x000000000023A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe
| MD5 | df8b658ff430e07a3083de9d55e38d9f |
| SHA1 | a1c69254ba895096f75660ca5c9c09f46486e65f |
| SHA256 | 885045b17ae6220ea794be50c2290b1c771323b5ff3680879e7d2bd8d1576a74 |
| SHA512 | ce534ec18d6e3f3f30a21c0749818ae89895281164262fe118610f4609d98d78f3164659cc8114d2d4767eff56cb446a118b72488982989c0e722fff8bcdae8a |
memory/2176-41-0x0000000002630000-0x0000000002676000-memory.dmp
memory/2176-42-0x0000000004EB0000-0x0000000005454000-memory.dmp
memory/2176-43-0x00000000027F0000-0x0000000002834000-memory.dmp
memory/2176-45-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-44-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-107-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-105-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-103-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-101-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-99-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-97-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-95-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-93-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-91-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-89-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-85-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-83-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-81-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-79-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-77-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-73-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-71-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-69-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-67-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-65-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-61-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-59-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-57-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-55-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-53-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-87-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-75-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-63-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-51-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-49-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-47-0x00000000027F0000-0x000000000282E000-memory.dmp
memory/2176-950-0x0000000005460000-0x0000000005A78000-memory.dmp
memory/2176-951-0x0000000004D20000-0x0000000004E2A000-memory.dmp
memory/2176-952-0x0000000004E60000-0x0000000004E72000-memory.dmp
memory/2176-953-0x0000000005B80000-0x0000000005BBC000-memory.dmp
memory/2176-954-0x0000000005BC0000-0x0000000005C0C000-memory.dmp