Analysis Overview
SHA256
fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719
Threat Level: Known bad
The file fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719 was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
RedLine
RedLine payload
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:46
Reported
2024-11-11 06:48
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe
"C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe
| MD5 | 11462e068f11faff85171d9873373f75 |
| SHA1 | 8ba525be5b75a11fb7f7dce9967136fd29a4e754 |
| SHA256 | 7ee1a8ac396b3cd754c42bdd957fa1e00b1ef575f4eb8ba4d19f31d6b97270b9 |
| SHA512 | 201fa9dcb54d139dd508a895b2235bd9ce73995aeaca2f686d98b52ceaf2204874b97efe89b519bc385d7cdb158deb0548fc73eb3753be8f9c2ecb15ca29a634 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe
| MD5 | 6ee11fe378a08f269781165b66e3780d |
| SHA1 | ba7927b981dca0dbce9ccd9d4fee3db2504da960 |
| SHA256 | a9a2f9e8fcbb643439c822131dbafc2613e9d111df0cfd1ed81df53b146bc19d |
| SHA512 | eca830365adffece2c82e046dd6a0017a0f9a9452e987cc5f38f9b75fc29ec4b462fdc2fc31190d21b139c7c93f84790d788b813ff9f0c755f14ddeefcc27941 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe
| MD5 | 3871f08e02bcab2e42b33397b9f72c07 |
| SHA1 | 9725fe4325783baa2ef9ff571244b983da71a420 |
| SHA256 | 0aa39174c4a31ba950861bf5c8362de5c8fb6db1ff699b29b2be44c12559df3e |
| SHA512 | b598a8a1cbcf2c61b5ff2af08b276fec9f3984a187c75fe0e39b010441ab6201879511dd1c387a5c5982bb3d35b70747a4747a6472add6cc340db47d277c9de5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe
| MD5 | c57afb423d0f47dc19c0f7c517fb4b92 |
| SHA1 | a1d62492b4dc19e766e25fa11a9044dfd20da61c |
| SHA256 | 0353b11cf93f02e9648278bebc88cc9e54fcf4932764b4aafdeb07e7d06467c7 |
| SHA512 | 2b60642662558030ee252442bd6f5fca2a7cce8ff7a4ba26a8294571b35ff509b574bf1dd6cdd4f704f552acd933c60724dfd77af137c589f304d0e6ca9b8019 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe
| MD5 | 102966585816bcda269165e0785f39df |
| SHA1 | 5a351f0bbe9a27b961b939aa639dd7c3e312b3fe |
| SHA256 | c6babb3ca19027457fdce2f4afbf9a1d03226889ac4cdb199dcf3bfb3482ca13 |
| SHA512 | bf8a031209932d3e257b34b65685e94a0043de927078cedc0aa0d7fff3ff1cb3ea1132f3b5a55fe953f4a4e313c9e2983521417a6fa989e3ed3505cb3a6f5d40 |
memory/2356-35-0x0000000000FC0000-0x0000000000FCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe
| MD5 | a3da8951bb23f305fd251958e8535aa4 |
| SHA1 | ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54 |
| SHA256 | 786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a |
| SHA512 | be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d |
memory/212-41-0x00000000049F0000-0x0000000004A36000-memory.dmp
memory/212-42-0x0000000007380000-0x0000000007924000-memory.dmp
memory/212-43-0x0000000004B40000-0x0000000004B84000-memory.dmp
memory/212-47-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-57-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-107-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-105-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-103-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-101-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-99-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-97-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-95-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-93-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-91-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-89-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-87-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-83-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-81-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-79-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-77-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-75-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-73-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-72-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-69-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-67-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-63-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-61-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-59-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-55-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-53-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-51-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-49-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-85-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-65-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-45-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-44-0x0000000004B40000-0x0000000004B7E000-memory.dmp
memory/212-950-0x0000000007930000-0x0000000007F48000-memory.dmp
memory/212-951-0x0000000007F50000-0x000000000805A000-memory.dmp
memory/212-952-0x0000000004EB0000-0x0000000004EC2000-memory.dmp
memory/212-953-0x0000000004ED0000-0x0000000004F0C000-memory.dmp
memory/212-954-0x0000000008160000-0x00000000081AC000-memory.dmp