Analysis Overview
SHA256
42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00
Threat Level: Known bad
The file 42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00 was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:55
Reported
2024-11-10 01:58
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe
"C:\Users\Admin\AppData\Local\Temp\42deb78c561d66d8ab9d830092da3123f6ed6caf00d5f18c561292e33b5c1d00.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.27:4123 | tcp | |
| RU | 193.233.20.27:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuD4177rU.exe
| MD5 | c45d272e9c03288c29f868654bc3dc58 |
| SHA1 | 358fe619181b013e297cb59a6707137f0ab23a08 |
| SHA256 | 9fb867b5cd98eb0dd0924ca8e14c5f9a1842daf0f6dfeb68c11f1f69bb04b5b0 |
| SHA512 | 99c976668d00811192b467486b495b66a908cee8b27f72d585ee047d28a1023c5cbe511e1e7aedd8206583b2e417b5767987c58edee2d25a0b233eec78e23553 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf41Ho75bt95.exe
| MD5 | e3d7138cfc827d8e118dc9cd38ebe29f |
| SHA1 | 114737f21a5ad482ea4622c64643139805b5dd4e |
| SHA256 | 110592072c1ec7230e3b37d9aa59f99e04a64540a015d42903d5f96c3b354492 |
| SHA512 | d8df79d01af58228c4ffba79b6e74ff1621a8558be8f25106422fb235ff9455aa02a11b90846032d1403c9431f9a185709eef900f8f82a6139c978e8d4346303 |
memory/4164-14-0x00007FFA892F3000-0x00007FFA892F5000-memory.dmp
memory/4164-15-0x0000000000FC0000-0x0000000000FCA000-memory.dmp
memory/4164-16-0x00007FFA892F3000-0x00007FFA892F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf57om03PF99.exe
| MD5 | 79645f4c4f6de9b74ca0120b7a2ff217 |
| SHA1 | e093a94b5415be8ebbc90a52807b811eb339823e |
| SHA256 | cfa90800c04f1f257f52d7f8d63b001b37796b3f1da67b271d6c76feeda8306a |
| SHA512 | 13ae7f81ffa0ff1196334f870cdcaa7ac46be0bd6de36caceda5251b77a3dac0ccc8b33dc2ec7ca4a06bb96bf5017d68ea74ba373ebcdebf0e9318bb11803cd0 |
memory/4916-22-0x0000000004B20000-0x0000000004B66000-memory.dmp
memory/4916-23-0x00000000073D0000-0x0000000007974000-memory.dmp
memory/4916-24-0x0000000004CB0000-0x0000000004CF4000-memory.dmp
memory/4916-28-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-37-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-89-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-60-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-41-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-34-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-32-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-30-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-46-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-26-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-25-0x0000000004CB0000-0x0000000004CEE000-memory.dmp
memory/4916-931-0x0000000007980000-0x0000000007F98000-memory.dmp
memory/4916-932-0x0000000007FA0000-0x00000000080AA000-memory.dmp
memory/4916-933-0x0000000007300000-0x0000000007312000-memory.dmp
memory/4916-934-0x0000000007320000-0x000000000735C000-memory.dmp
memory/4916-935-0x0000000007370000-0x00000000073BC000-memory.dmp