Analysis Overview
SHA256
7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0
Threat Level: Known bad
The file 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Healer family
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:25
Reported
2024-11-13 13:27
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe
"C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp | |
| FR | 193.56.146.11:4162 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FR | 193.56.146.11:4162 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe
| MD5 | a80adfefab4b196c3b5f98505c3937c5 |
| SHA1 | 6e34307edbbf4d3935674fe5255a37222a776445 |
| SHA256 | b479c94cc9f947d24a0f3ba7781be802c6227db9c0191daa9be7f957986761e4 |
| SHA512 | eeee51ea4d7800282550a9ef75fb6cb402a6225b34e43511e6a8128435eea4bc3e57e76109518198cb5a4ec3f56fc4185c70e62805cc3482942f62a4a49b1da5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe
| MD5 | d65bb58147d325d09cc6bd41ce7ac921 |
| SHA1 | 0f6412520a0e79b9ec1b850559a3c0f3d9a016ec |
| SHA256 | 425dbf9332067e96a75f005275f2833f0ac64d569d7e2a423b88bb3ce00c8528 |
| SHA512 | dfc913b966ab1f64d6412f39635a145832597652ec88fad0860fea0f3a845104a478e75eabba1b44471b65ba6e8f144eb8e4be329243a16e1f32c3a8712bd913 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe
| MD5 | a4eca6e9bfdb86685646cbe06ba0350d |
| SHA1 | 811d81d2adfaad8e1cccaf297a7bbabe90534fd7 |
| SHA256 | 72f120aa64a04495a899c675c0c93ed9fd01766519f2a528d6fff3da30671b99 |
| SHA512 | 4a25a32710cb2a8b5d163a52fc8535aafe3ec49883ac9cafd1a4503c9d7bfcd52d737a37c5c3ad6b95845a76b9a5b649b6dfc49f779e38279a87bd7ef834321f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe
| MD5 | 99e424546741eea90b6534de55068b27 |
| SHA1 | fca6fd344b3a70ca90f124720796057466eff1dd |
| SHA256 | a4460ec4a7b91f662927f98ce5e972d2d5feecb806f99ec94b44b7c1a2745035 |
| SHA512 | 3235e7d02f92c8f660bf6a3746622bd50038973512b0d53927d016a908c39ec479e7e20e9a49eabd3a861f25fc9c064089b3562a7a17ab179a04f83101f003a7 |
memory/760-28-0x0000000000660000-0x000000000066A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe
| MD5 | 6940451e769c094029427d1531775121 |
| SHA1 | 03c763ca8ebc6896fb35c9f8d4d3fc64d03fe850 |
| SHA256 | ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca |
| SHA512 | 53578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06 |
memory/5020-34-0x00000000025D0000-0x0000000002616000-memory.dmp
memory/5020-35-0x0000000004C50000-0x00000000051F4000-memory.dmp
memory/5020-36-0x0000000004B90000-0x0000000004BD4000-memory.dmp
memory/5020-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-96-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-37-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-100-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-98-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-94-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-92-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-90-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp
memory/5020-943-0x0000000005200000-0x0000000005818000-memory.dmp
memory/5020-944-0x0000000005860000-0x000000000596A000-memory.dmp
memory/5020-945-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/5020-946-0x0000000005AC0000-0x0000000005AFC000-memory.dmp
memory/5020-947-0x0000000005B10000-0x0000000005B5C000-memory.dmp