Analysis Overview
SHA256
2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005
Threat Level: Known bad
The file 2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine payload
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 19:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 19:40
Reported
2024-11-12 19:42
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe
"C:\Users\Admin\AppData\Local\Temp\2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe
| MD5 | 66b74bc40917d8f05a79548e167703c4 |
| SHA1 | 492bc58df520709f02a6de8f2e668470adb8bf2f |
| SHA256 | 7795a6881ab3dcec8c00e6d42b000a970c24cc4d5349152342b4061fcfedccac |
| SHA512 | fc441b654f20cbf9ec7f962c97f62ca51e098317e7bc7f031515f2bcb2a57ce6c966b185c6b6080e9a79736af04ccdc9f4d587acf088e8b1e120a9431b9bb46a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe
| MD5 | 679e2fb590e993f2009fd37a069c8c81 |
| SHA1 | 666c2773e8715c34e544f377264adab4f6112e8a |
| SHA256 | 827ffe1495757c587d273f213a014d1bdc2eec223ed03fe3242ad739ff37d5fa |
| SHA512 | f075a6593598427320ebdef163695353ce0429602c6529ff140c89d0843aa2c02c58a6ad6319e833dda7759214b779a5a56daeabc72589ba01a87d1c95b98b6a |
memory/3732-14-0x00007FFB65E53000-0x00007FFB65E55000-memory.dmp
memory/3732-15-0x00000000008A0000-0x00000000008AA000-memory.dmp
memory/3732-16-0x00007FFB65E53000-0x00007FFB65E55000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe
| MD5 | 8543cf3384382f56703a6ee451ac68f3 |
| SHA1 | 353211899c2c986e0d038a11f566e02e3113e113 |
| SHA256 | 2f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf |
| SHA512 | 609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186 |
memory/532-22-0x0000000004B10000-0x0000000004B56000-memory.dmp
memory/532-23-0x00000000073B0000-0x0000000007954000-memory.dmp
memory/532-24-0x0000000004CC0000-0x0000000004D04000-memory.dmp
memory/532-28-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-26-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-25-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-82-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-88-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-86-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-84-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-80-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-78-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-76-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-74-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-72-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-70-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-68-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-64-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-62-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-60-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-58-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-56-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-54-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-50-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-48-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-46-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-44-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-42-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-40-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-38-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-34-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-32-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-66-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-52-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-36-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-30-0x0000000004CC0000-0x0000000004CFE000-memory.dmp
memory/532-931-0x0000000007960000-0x0000000007F78000-memory.dmp
memory/532-932-0x0000000007F80000-0x000000000808A000-memory.dmp
memory/532-933-0x00000000072F0000-0x0000000007302000-memory.dmp
memory/532-934-0x0000000007310000-0x000000000734C000-memory.dmp
memory/532-935-0x0000000008190000-0x00000000081DC000-memory.dmp