Analysis Overview
SHA256
b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31
Threat Level: Known bad
The file b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine
Redline family
Healer
RedLine payload
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:00
Reported
2024-11-10 02:03
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe
"C:\Users\Admin\AppData\Local\Temp\b738ba17caeb684a287e8eeef06b58491ec4f5884638f5ece5c2c3ff3402ad31.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07165178.exe
| MD5 | 73afb85fae32c8efbaa1783c832b4492 |
| SHA1 | e6901e7cd0f2344d5972a088e185a7d6c1e4fccf |
| SHA256 | e9b44e280c080fe0af2d2718c3e860933e5ff441e3bfb08c70b7149f5274a2ba |
| SHA512 | 0958561c634381ae7da1abbc521083886909e6ffa03182ef8572e71a7078f877b5e71bcaa5038ef032111a587259d2785fcd6d1a3c438930114607cc54b9d736 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i02731761.exe
| MD5 | 1556ede41262cb667cdd144724ffe32f |
| SHA1 | 2f6dc3ff32fb786bdfe71866de03ae47795d4736 |
| SHA256 | fd63f1b65ecb3589171d98f90ea8b72c01f6a7c16224a510c908ccdc1f7cda7b |
| SHA512 | 93df7bfb1ebd7f515a334e52af0a7d849f2542d545211bcbb1206f2fab63a3522e08d27addb4692b5aa1621a17da3389ecae83b61193653cd286b3d5018c64f8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i04424487.exe
| MD5 | dc1be587279a42bf105b2afdca794eef |
| SHA1 | 86c841b826435d5c2609d3cc62fa7ffe547e919e |
| SHA256 | 3990111324bedbc8ec76338862e8101c79e622a086cea603ff373984bb5951b3 |
| SHA512 | 33f4366bc9ac6a71ef99560a73f2518fa8599c70f0976bb6a33f27d61381fa9fb5be101959130188cf0a819ebbee30bf17ea9a0cc901075b43b0589904663970 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a88506369.exe
| MD5 | 5136724944e0d1aac02d2f68ea738433 |
| SHA1 | 1dba2353d3ab9dcdaad971c0c34405e0f4eeeaa7 |
| SHA256 | 18748152ba6ca527cef70a9350fa195815b21e24a5c0b094c599444aae6aecc3 |
| SHA512 | 756b6e168b07c295ea49af943c1e69638cb7819be9364e74ea8c7a443100e00642ee2875ff855c7925330d157f914299f93c0e0cdd29c692deb142b8edfef900 |
memory/4444-29-0x0000000002310000-0x000000000232A000-memory.dmp
memory/4444-30-0x0000000004E50000-0x00000000053F4000-memory.dmp
memory/4444-31-0x0000000002840000-0x0000000002858000-memory.dmp
memory/4444-51-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-57-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-59-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-55-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-53-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-49-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-47-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-45-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-43-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-41-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-39-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-37-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-35-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-33-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-32-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4444-60-0x0000000000400000-0x00000000006C9000-memory.dmp
memory/4444-62-0x0000000000400000-0x00000000006C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b90751529.exe
| MD5 | 80b420b99ba9bd4f5b05d6b161012027 |
| SHA1 | 2f13e860262c89578fcda655f61decf8e2194ae5 |
| SHA256 | 8570647c7f7141f916f30b20cd83e26cc64662b399c6d21b3adc93bda9ead09f |
| SHA512 | 000a5954e227a68bf554023d344f838bdd98f16819ec2904488cb0ecc3c792e9f6dcc64e78cd7409e80abeb824aecd2f97820bedadd3dac494e3d7ed194816e8 |
memory/4244-66-0x0000000000A10000-0x0000000000A40000-memory.dmp
memory/4244-67-0x00000000051F0000-0x00000000051F6000-memory.dmp
memory/4244-68-0x000000000AD40000-0x000000000B358000-memory.dmp
memory/4244-69-0x000000000A880000-0x000000000A98A000-memory.dmp
memory/4244-70-0x000000000A7B0000-0x000000000A7C2000-memory.dmp
memory/4244-71-0x000000000A810000-0x000000000A84C000-memory.dmp
memory/4244-72-0x0000000002B60000-0x0000000002BAC000-memory.dmp