Analysis Overview
SHA256
2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95
Threat Level: Known bad
The file 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
RedLine
Healer
Healer family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:53
Reported
2024-11-11 05:56
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe
"C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe
| MD5 | 154b755ed8b39e209b21102819a53c69 |
| SHA1 | 40cf66e793d4321766fe1946c8a26276e9ce159d |
| SHA256 | 93a76a6ba05223c90c8e56f659962b5faceaa6d80793eb4f74be69873685a37e |
| SHA512 | fc2ada576d455e3906b15ae0b8ff1ca34b14d3ac3c3ad251c7a534b37cce7993757b24f7eb73fcfc0674a747c84b7cb844fde435db2cbf19d1ceb515b3885982 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe
| MD5 | 8fbd7bb022b564856a8c878af221b119 |
| SHA1 | 1b29df15d831b2659a8b5a93cb2287c3698dda04 |
| SHA256 | 24234c78ad8fa53dc5800a8da9d00aff435cf521ec02104ded757d413daf33d3 |
| SHA512 | bad0ea94a84d32d64573de8b54e4d3cb5e092d07a683d4527d6efdba26a4a1505048c435fbe2b60c20752e0332bd9a91fe08972210d5ea0cf6d11d0c275042ed |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe
| MD5 | d83a07b6f1e657e333f9cec7f6b82600 |
| SHA1 | 628186840068d99e54dc9147a951b5d1a1ab48a8 |
| SHA256 | 3ed120337dc52133093f34e4faa0a6ad23c688669f9b82ec4cb78f45a6a4346f |
| SHA512 | 7ceb69f448dacdafc620d64ddaefeacda0a3af8316dc98262366bf8b583b8d7bb3710c22c6338a3e4b92f3062b6b9f1628d5aa461729cf5d7e84447ab8f2dbc8 |
memory/764-21-0x00007FFF2A923000-0x00007FFF2A925000-memory.dmp
memory/764-22-0x0000000000F60000-0x0000000000F6A000-memory.dmp
memory/764-23-0x00007FFF2A923000-0x00007FFF2A925000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe
| MD5 | 049b7e9c3b3777fd130ad01127cd8268 |
| SHA1 | 7f56ea5b4e7029a2da226d899ddfce99ff960e0f |
| SHA256 | aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68 |
| SHA512 | d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1 |
memory/4828-29-0x0000000004A10000-0x0000000004A56000-memory.dmp
memory/4828-30-0x0000000007360000-0x0000000007904000-memory.dmp
memory/4828-31-0x00000000071D0000-0x0000000007214000-memory.dmp
memory/4828-47-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-45-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-95-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-93-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-91-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-89-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-87-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-83-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-81-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-79-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-77-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-75-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-71-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-69-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-67-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-65-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-63-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-61-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-57-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-55-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-53-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-51-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-49-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-43-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-41-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-40-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-38-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-85-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-73-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-59-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-35-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-33-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-32-0x00000000071D0000-0x000000000720E000-memory.dmp
memory/4828-938-0x0000000007910000-0x0000000007F28000-memory.dmp
memory/4828-939-0x0000000007F30000-0x000000000803A000-memory.dmp
memory/4828-940-0x00000000072F0000-0x0000000007302000-memory.dmp
memory/4828-941-0x0000000007310000-0x000000000734C000-memory.dmp
memory/4828-942-0x0000000008150000-0x000000000819C000-memory.dmp