Analysis Overview
SHA256
b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92
Threat Level: Known bad
The file b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Redline family
Healer family
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 20:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 20:37
Reported
2024-11-12 20:39
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe
"C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe
| MD5 | 258a6b2df5cad8c864bb75df2e1d3376 |
| SHA1 | 520d36fbdfd65e2bee1a999bec5d46ee6f7ee6ac |
| SHA256 | 4ca7414afb2849216202055c68b7c134069a4ec2ea092abeb3770656f9cd18fe |
| SHA512 | 653f66fbab322803658d017881e76d0792e98d4d64255f1983f7517d8b545cbaa6abf79e8a51f4ceb8db0bcd795988fd5144d038ac78ac121937f4d0e6c6ead7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe
| MD5 | 7720e60b1e2818e47418fa2551f90f07 |
| SHA1 | caa232d9a1939650cfd54f7890a74d46c7291356 |
| SHA256 | 83ba14557a7847fb9fd3b925051db3c3b6a32edadd232c8a7fd0bcc6e35ed98d |
| SHA512 | cfd3f0be18ddde002d0b778b6231d24cc3dcf816fc47cd8a731e41419cdd833d66a11d9551076374dd61bf9dd5c0abf81606879f5ef4bceb7b87a93fcaa4e1bc |
memory/1764-14-0x00007FF9179B3000-0x00007FF9179B5000-memory.dmp
memory/1764-15-0x0000000000CA0000-0x0000000000CAA000-memory.dmp
memory/1764-16-0x00007FF9179B3000-0x00007FF9179B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe
| MD5 | 268eb6c29660b671081e908c7edff532 |
| SHA1 | e43f244273c197c44bb8bc7ad1ae2583545724bf |
| SHA256 | 44dcf8fd0be32702a4246205f7ac38abfed0f072fa42bbe79044476c5f2903d0 |
| SHA512 | a141e4bdedfcd313468ac3a967ed9a866efc5db3d060edeaa409f1fb278f02595921480192b0b43d02cc18fd2872ac045af2f01c86660d40b6b2f527074a3689 |
memory/224-22-0x00000000024F0000-0x0000000002536000-memory.dmp
memory/224-23-0x0000000004CC0000-0x0000000005264000-memory.dmp
memory/224-24-0x00000000026D0000-0x0000000002714000-memory.dmp
memory/224-38-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-36-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-88-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-84-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-82-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-80-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-78-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-76-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-74-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-72-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-68-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-66-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-64-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-62-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-60-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-58-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-56-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-54-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-52-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-50-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-46-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-44-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-42-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-40-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-86-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-70-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-48-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-34-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-32-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-30-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-28-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-26-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-25-0x00000000026D0000-0x000000000270E000-memory.dmp
memory/224-931-0x0000000005270000-0x0000000005888000-memory.dmp
memory/224-932-0x0000000005890000-0x000000000599A000-memory.dmp
memory/224-933-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/224-934-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/224-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp