Analysis Overview
SHA256
c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314
Threat Level: Known bad
The file c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Healer family
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:25
Reported
2024-11-10 03:28
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe
"C:\Users\Admin\AppData\Local\Temp\c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe
| MD5 | e171d9b0426d2e7ae0b8a009af0d5b3b |
| SHA1 | c210ba65a018b49d445b94d5387cad33c980314a |
| SHA256 | 88937f0d4f1c18d0ab41039e560e594cf9845a1d806a60bdec9856c3a5af1185 |
| SHA512 | 2c7aaf58f16b804585e61caa3da2e4013ab27759c9ee6a46f9cb8f0fce7d13458668d71bc2834b9189e2b906018dc9df2943776c91aaa4c078f6caaaab400ffe |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe
| MD5 | 095ea059e0107fccf798d8b232c0a478 |
| SHA1 | 2634296747b15d9984a15ded6a3e0d696c3387b1 |
| SHA256 | e7b0a04e7d99d719cffc1ae61278222e03830e56564bc0e405db2f8327a245ae |
| SHA512 | ee162b0a7a71b42e240ea935d89d6aeb500f0abd812ab196ad2980315a159a7bf7c3894f2ab94261987fc36f158cfdf68da2c13aeabacfe40ef764029645ff75 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe
| MD5 | b488f9aa186d5ebcb4300ed26036e249 |
| SHA1 | eb92e8fee9a59df1bfa438dc428834fa6925f53b |
| SHA256 | 3be5bb8b8ffe6d99ad05a23e0f97d8c3961b3898fa1e563b014679ea31592862 |
| SHA512 | 1cc987e5a67773c718f23654716f54e34353a2ecb68c4cf2721a160b461b156a3401ab00ea02f704297362e0ed1ad113e73a046ac209ec8152d5f97d9e3708f4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe
| MD5 | 636111ffc679028ef4b395b5c0fb5e11 |
| SHA1 | b7af1be3ad476d6a551e997ea58d0eb40ba4e93c |
| SHA256 | 15c569d673c0d15d2df894a25ea3f1dde3679418756a3b3f9071efb60e6a6bb5 |
| SHA512 | 3db813fdb1b462192ab0f387c3e5f087e499b4f8f006109ff0099bcc5ef4d6cb7f2859aef4f7de74fab244f04bd114ec77bc3a9665f448bc91dda8578eaa4c50 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe
| MD5 | c3b47a80a28cc450754a883d9fdaf65b |
| SHA1 | 870df201d57239320785b315f654efab12dc6a6a |
| SHA256 | 901855ba1e6be580ef17e205d406292ad7e2292513234a7e1754b26e815e5e01 |
| SHA512 | 8659d725eaf314c62451bbd6ad1a549190f8000a05c56c2e87002861bc1855839c5206f3befdee36989f8d62b1f27d7b2f86c4110c6a2ac265bfde9dfe35da15 |
memory/1148-35-0x00000000000E0000-0x00000000000EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe
| MD5 | 57b4e73c1d36751cb60a4d2e68594087 |
| SHA1 | 0e371eaad20ebbb81735876f0f1703adee193117 |
| SHA256 | 39f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25 |
| SHA512 | e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c |
memory/2004-41-0x0000000004C20000-0x0000000004C66000-memory.dmp
memory/2004-42-0x0000000007190000-0x0000000007734000-memory.dmp
memory/2004-43-0x0000000007780000-0x00000000077C4000-memory.dmp
memory/2004-51-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-65-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-107-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-103-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-101-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-99-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-97-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-93-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-91-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-89-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-87-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-85-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-81-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-79-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-77-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-75-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-73-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-71-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-69-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-67-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-63-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-61-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-59-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-57-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-55-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-53-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-49-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-106-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-95-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-83-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-47-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-45-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-44-0x0000000007780000-0x00000000077BE000-memory.dmp
memory/2004-950-0x0000000007800000-0x0000000007E18000-memory.dmp
memory/2004-951-0x0000000007EA0000-0x0000000007FAA000-memory.dmp
memory/2004-952-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/2004-953-0x0000000008000000-0x000000000803C000-memory.dmp
memory/2004-954-0x0000000008150000-0x000000000819C000-memory.dmp