Analysis Overview
SHA256
a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219
Threat Level: Known bad
The file a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Redline family
RedLine payload
RedLine
Healer family
Modifies Windows Defender Real-time Protection settings
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:52
Reported
2024-11-11 06:55
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe
"C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe
| MD5 | 6b26dea5e48f18b0d8961866d33cf0d8 |
| SHA1 | ad2200771b613dcd42f9e3e3eceffcc7b7beda69 |
| SHA256 | 10d8a04ed97dd5bd3fcb08a1919c7e6ed3ca5f7e2a590b7485a59d0a8ee9e1aa |
| SHA512 | 101f8e3121c9a89087d71cd2c174970bc2d15708ed339b8fee0d47efb7ffb3ee6a2fea0d0b1a01fd9599275e27dbe5753a8a9f0a796ddcef6807250fa1a92f6b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe
| MD5 | 1e5603fcee4409660bd62c9d64cb4186 |
| SHA1 | 03cc43ea6ebc62fcf000dc2a8cccab7f077ba30b |
| SHA256 | 3d591d1bd9d7e544d84269fbdd5a8f9add21aa28acf95fba24b04868bdf33f35 |
| SHA512 | bcb6fbf01d023021705dc97526d109d245469e1862558e668857abc8bdce0ad471aa28dbadc2f7411a7b32be8a0fee16a8a9fe3758abd7ef877bdffff4b77b77 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe
| MD5 | 38cbe723900d59aa753cc870e127a11d |
| SHA1 | 6add57bcbd7d2fe555855058df7e8c9492fb6378 |
| SHA256 | 23724ec0e0cd8d384b7a82cd99085c963d7fd6dfee4e39e1789dcd301e7c777c |
| SHA512 | b0a294e2c1ae6328e0223baf41f55f85b33adc7223c73f348744729ed743721ed3078373372086041c21e03f69a18d894fd9126111699c2144a980e5b1bf20c4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe
| MD5 | 40584ca476ac36edfee3d977d21c01f6 |
| SHA1 | eb4455335d7273b65f5438250e12a119d894f601 |
| SHA256 | b6ff83cbe5ecc27ba1162cc43a20cb660746faeb6ee722e3c46d6e2557ef8dd5 |
| SHA512 | c1bfd1264735e04f0a3f26d657d192f1476831bee9d2fb934ab43c5c436b8e1b18211c2d49d45c6889488591ce94d01deaa5c8cc2ffe6dddb72996d3806ffebc |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe
| MD5 | 3af0ef8b7ecaaf53cd964b48f3974deb |
| SHA1 | 1338a465c121496da656e0af915fdb3315a00a08 |
| SHA256 | 2060c541405bb9947bd61fb1a4b174fa3b00470c648accab963297fcda1e955b |
| SHA512 | 8d81b46fa33238b5b09672e1cc6e0d3c13fa48f5789dd285c7c965c6b69835051dbc27bcf63f459e5d90a6bda2c3dd16901ec919d632120782e5a68b56449439 |
memory/628-35-0x0000000000FA0000-0x0000000000FAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe
| MD5 | a3da8951bb23f305fd251958e8535aa4 |
| SHA1 | ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54 |
| SHA256 | 786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a |
| SHA512 | be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d |
memory/5056-41-0x0000000004CA0000-0x0000000004CE6000-memory.dmp
memory/5056-42-0x0000000007390000-0x0000000007934000-memory.dmp
memory/5056-43-0x00000000071C0000-0x0000000007204000-memory.dmp
memory/5056-107-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-85-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-59-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-47-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-45-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-44-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-105-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-103-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-101-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-99-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-97-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-95-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-93-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-91-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-89-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-87-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-83-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-81-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-79-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-77-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-75-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-74-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-71-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-69-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-67-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-65-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-63-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-61-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-57-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-55-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-53-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-51-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-49-0x00000000071C0000-0x00000000071FE000-memory.dmp
memory/5056-950-0x0000000007940000-0x0000000007F58000-memory.dmp
memory/5056-951-0x0000000007F60000-0x000000000806A000-memory.dmp
memory/5056-952-0x00000000072F0000-0x0000000007302000-memory.dmp
memory/5056-953-0x0000000007310000-0x000000000734C000-memory.dmp
memory/5056-954-0x0000000008170000-0x00000000081BC000-memory.dmp