Analysis Overview
SHA256
d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c
Threat Level: Known bad
The file d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
Redline family
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:53
Reported
2024-11-11 05:56
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe
"C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe
| MD5 | 135fe05769fde4811b7b82f9e6953898 |
| SHA1 | 801e3f4cb9f2de8d6f23eef1ae3ad27144a10ea3 |
| SHA256 | 2cad8389ef3e318f85a1d1e510d6c82deeaa03bfb5d426da75b7b444bf738d88 |
| SHA512 | 17942df4a59e79c301623b779872c05a76650c78da0c4901fae612e42bf7159d5e67a814b8d84d9405aa83acf408cb02a4ce99fd89d19d85b7ac4b459378b9d8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe
| MD5 | 3b64502135251765957881b1004f2d64 |
| SHA1 | 060d2dd0a7c40cde8caabb5b38c2403a9e7c99fe |
| SHA256 | cc67a326deaa7036f1f44ff3753179663f88454c1fa3cdb5f4a28c7bb42d2f85 |
| SHA512 | 3901f0f0420009505fc2d859f7206b85da0fe69fc0428fb19a9ce9c4cff506f7925ee4f45113091aacc3ddf006ba5bdbb4f6ce33eaab5665db615ddcd9d1edde |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe
| MD5 | 17ac80398b34da162fcf7ecc0f763a74 |
| SHA1 | 57f754d8f66f40b8ca4b622c8c299cba227a92fa |
| SHA256 | 43b68ab76dba1942f8344df6654135bc7facadd20c2527a1c171701881a00408 |
| SHA512 | e2cc6e6d73c586bc29df7c56e8273ca8eae4f24e721a0e89395f6652455750fb97a47bb22f1d4518bfcf51f2a269f0b23097515687a7d4cf3b0261a303eb1b20 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe
| MD5 | e1c71f8c38c51f2f332db4caf005c06e |
| SHA1 | 5df276c470d78409865ff1249099690db78ba353 |
| SHA256 | ed6980bdebcb54e868e3250bdc35d082929e40b7b7ad0c01cd03ea08da24cb74 |
| SHA512 | 3004a93f81a46636acdcabdca50d2237147011060e9e54923be71c114d988aee93d9518fa6d10dda2ef3a18477422f084db40b5a9312dec863fd46237e21922c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe
| MD5 | 24a2060d275d7173342b0d49ed77f92f |
| SHA1 | 30eb51d998c07243eb6ea19012437d714ec761d3 |
| SHA256 | f1a0d48198c0943b4a3acc02a3dbf1c961bef2882e5ad10f6582be0cfee8cbca |
| SHA512 | 81006cb25e283eceb23047f71bec7d1e29d9fc59a98b6b933bb9686ea02c1d5740438a3c3fc0ac06bfa6b27d23e910fb607de9baa2b13c43dfed2a07d9f8b260 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe
| MD5 | fbae6642738fc0259a38c805b2e77afe |
| SHA1 | e4fe779f4c01964757936b503ca9bb2ce0c08217 |
| SHA256 | 281b0349ecf48ce797a70455c9b129bdbaea6c82c98c39b15dc9e910665cbf02 |
| SHA512 | 0cf14499698a6b625eee336a142e6e7ab2e4cf5121d8fb9682824b5c95e754f84b22bc7a6ad29138dff5f2654d3d2d380f64825de2eb95153e903f4f6454edb4 |
memory/2600-42-0x0000000000260000-0x000000000026A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe
| MD5 | c8e450f5bf2b3be41a6329bb78242bf2 |
| SHA1 | 2a1388a51884b8025366ec0cc90aa168eaf28ecb |
| SHA256 | b897fedfd41567133a1c697a0a6d9ccc1ad81d6a21daa8dc0ec92f23991178ac |
| SHA512 | e3cf75058db2a5817d11b534a1b142ea71f4cdff4cd6c9e553ba9e4bbca52dba58461023dd17ebc0cd50942e4e0677640910790e11aefe51009f05bd4b760d9e |
memory/212-48-0x0000000004C20000-0x0000000004C66000-memory.dmp
memory/212-49-0x00000000072A0000-0x0000000007844000-memory.dmp
memory/212-50-0x00000000071B0000-0x00000000071F4000-memory.dmp
memory/212-68-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-70-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-114-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-110-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-108-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-106-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-104-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-102-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-100-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-98-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-96-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-94-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-92-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-90-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-88-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-86-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-82-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-80-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-78-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-76-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-75-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-72-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-66-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-64-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-63-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-60-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-59-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-56-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-54-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-112-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-84-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-52-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-51-0x00000000071B0000-0x00000000071EE000-memory.dmp
memory/212-957-0x0000000007850000-0x0000000007E68000-memory.dmp
memory/212-958-0x0000000007EA0000-0x0000000007FAA000-memory.dmp
memory/212-959-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/212-960-0x0000000008000000-0x000000000803C000-memory.dmp
memory/212-961-0x0000000008150000-0x000000000819C000-memory.dmp