Analysis Overview
SHA256
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
Threat Level: Known bad
The file da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
RedLine payload
RedLine
Healer family
Redline family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 07:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 07:15
Reported
2024-11-11 07:18
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe
"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
| MD5 | 48d76ba7eba9fe36abfdcf0eb805d4e6 |
| SHA1 | 50290672b453e591c60754011b3651ed80acee6a |
| SHA256 | 98f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3 |
| SHA512 | 6959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
| MD5 | 011f572cd01040ae90f4c2bec985279e |
| SHA1 | 53b48ee92c94b118051ae561091cf3f09445e5a2 |
| SHA256 | 88feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021 |
| SHA512 | 198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
| MD5 | 24c66ce9bd9f1848461d318aaa2965d1 |
| SHA1 | e1654fb970dd38239f22aa980faf5db20fe6ac31 |
| SHA256 | 651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33 |
| SHA512 | 263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
| MD5 | 96bc4aa13190b64dbac933e84b3755bf |
| SHA1 | 02eea495c0471e5bf620fcbb1e7236a9af6884d7 |
| SHA256 | 813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a |
| SHA512 | 12e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8 |
memory/4560-28-0x0000000000EE0000-0x0000000000EEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/2860-34-0x0000000004B80000-0x0000000004BC6000-memory.dmp
memory/2860-35-0x00000000072F0000-0x0000000007894000-memory.dmp
memory/2860-36-0x00000000071C0000-0x0000000007204000-memory.dmp
memory/2860-48-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-54-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-100-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-98-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-97-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-94-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-93-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-90-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-88-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-86-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-84-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-82-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-78-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-76-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-74-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-72-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-71-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-68-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-64-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-63-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-60-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-58-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-56-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-52-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-50-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-46-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-44-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-80-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-66-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-42-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-40-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-38-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-37-0x00000000071C0000-0x00000000071FF000-memory.dmp
memory/2860-943-0x00000000078A0000-0x0000000007EB8000-memory.dmp
memory/2860-944-0x0000000007EC0000-0x0000000007FCA000-memory.dmp
memory/2860-945-0x0000000007FD0000-0x0000000007FE2000-memory.dmp
memory/2860-946-0x0000000007FF0000-0x000000000802C000-memory.dmp
memory/2860-947-0x0000000008130000-0x000000000817C000-memory.dmp