Analysis Overview
SHA256
4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16
Threat Level: Known bad
The file 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
Healer family
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:34
Reported
2024-11-10 01:37
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe
"C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe
| MD5 | 048f771b4353aa5fdbe6c7955373103c |
| SHA1 | 38ecfce70ebbed9eff0663ae03bf2d04c0fe6bb6 |
| SHA256 | c7714b31c9949bb74db0c3b827a4ce92e09d11079e060cab51bfa63eb5bb2e32 |
| SHA512 | f1aa442dcc3d38541f23b3d152c8ac34be546339d76f3e2cd73c79ac30e6e90828f4376889159b1c19901a8a933ffa753d08ff6937cdbff286435cf717800cd4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe
| MD5 | 0e2f5e078648c4f512c20edac192bdde |
| SHA1 | a38c856089eef1e57a896201eaef9f935efd66fb |
| SHA256 | 5ae1550cc463ec85b1f03764851d71d20d4c6504d543d7c54421f864ab3a095c |
| SHA512 | d93de06d5eccd547702247b3cfc97dffaf4935ec92d1cb48a7f18253bba2a439f1e133ca6078735f6036e1ff84d62250bad1de238b218516c754c97dbb6f2a0c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe
| MD5 | 967a6efc047ce2bfedd58205b16eb856 |
| SHA1 | f0631d821537eac91fc8acf9c9e164d1ebc385ac |
| SHA256 | 25899231646e6f9901c9ac86943c2332d92dd28bd333b409e2387f18e0a8d5a3 |
| SHA512 | 5683eafe53188f65669a7c609273381699b1538d7904dd4fc76a7b93a45004cdb1887ac161c211f0578e53e6ca8e2db08b64502bc252b7087c4eab037b33a31a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe
| MD5 | 35eec148d062727beca64806452f66f2 |
| SHA1 | 5b7a974b429d5104051f4f7ab17f4da9cdae87e9 |
| SHA256 | 390d2fc4089b2666bfa9e5fc26c6006496a0fa16ba855dc251abf3de9103ad1a |
| SHA512 | 0687a63c853ee4a75fa3811550c92431c16443bfaa040fca1f5b2c02584856989aced5fef379c5ddf4b4bbaa222e3bd6e46b792c724c232a7ec7050fd90892fe |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe
| MD5 | 606f1523d611ae09f551005f77292f89 |
| SHA1 | 898e7b0d71b8c3dc5cf76300ff7ab34d8179103f |
| SHA256 | 15707a4830f66bdef3567108793cdacb17a240955f8210d44bd6e1d6e9f5600d |
| SHA512 | 6cc318274ac9e74b0e52b7d6593b69c33043c192733ba158fddb70047e831b678d74687a3cc9d80ff3325c58c4190ad1a7461243de0acdb8c38b0aba487d3ec9 |
memory/1872-35-0x0000000000770000-0x000000000077A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe
| MD5 | 1d723ff94958004611f8d9036d32a484 |
| SHA1 | 494b2b1df04dd00bd4a6582ca026b45ed1e26f5e |
| SHA256 | ce58c79e2d8396ebc000387ba86ec87273d28bd7dfa8310c49c59b22c7de42af |
| SHA512 | 9738bf0e92ad9b1f526a48a4262410186a961e0aa9e04ef1ecc4769b29d92339f46e331a65810ce72b27df319260ac8aba0636742690e95bc34f6d59fbf2ff61 |
memory/3732-41-0x0000000004AF0000-0x0000000004B36000-memory.dmp
memory/3732-42-0x0000000007240000-0x00000000077E4000-memory.dmp
memory/3732-43-0x0000000004CB0000-0x0000000004CF4000-memory.dmp
memory/3732-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-107-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-105-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-101-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-99-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-95-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-91-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-87-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-83-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-79-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-75-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-73-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-71-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-69-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-67-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-65-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-59-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-55-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-53-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-51-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-49-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-103-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-45-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/3732-950-0x0000000007800000-0x0000000007E18000-memory.dmp
memory/3732-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp
memory/3732-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/3732-953-0x0000000008100000-0x000000000813C000-memory.dmp
memory/3732-954-0x0000000008150000-0x000000000819C000-memory.dmp