Analysis Overview
SHA256
704838bc324d2987faaf9994ed1c5de52f4bf61f15e5b8e8b2257389c0480b73
Threat Level: Known bad
The file 704838bc324d2987faaf9994ed1c5de52f4bf61f15e5b8e8b2257389c0480b73N.exe was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine payload
Healer
Redline family
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:06
Reported
2024-11-13 15:09
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
117s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkny1686yh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEM95aM09mQ.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\704838bc324d2987faaf9994ed1c5de52f4bf61f15e5b8e8b2257389c0480b73N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkny1686yh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\704838bc324d2987faaf9994ed1c5de52f4bf61f15e5b8e8b2257389c0480b73N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkny1686yh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEM95aM09mQ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEM95aM09mQ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\704838bc324d2987faaf9994ed1c5de52f4bf61f15e5b8e8b2257389c0480b73N.exe
"C:\Users\Admin\AppData\Local\Temp\704838bc324d2987faaf9994ed1c5de52f4bf61f15e5b8e8b2257389c0480b73N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkny1686yh.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkny1686yh.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEM95aM09mQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEM95aM09mQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
| US | 8.8.8.8:53 | pepunn.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkny1686yh.exe
| MD5 | c2cfdec6d25aea3d64cfc620d7fb9812 |
| SHA1 | 07811bd719ad0f5003cf328447b3f93450bf6ade |
| SHA256 | 1b0e973a52aa455725e09352241a64cd27d6d693ff2a8761bb9ecf8bfab24d8b |
| SHA512 | d1313688a816b4d84b70851437c26d329263d17653c6bfbbe80bf0a1a704d147301b7ae7172953ec0abb3f8a40f9bb15f0886f278afccc3711e36d09e01071d8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw70yG67Wh11.exe
| MD5 | 98475455283a70d0b00a4f2162dfb46e |
| SHA1 | 8ad058b239576dd55d7ad1b37f70bde911b38559 |
| SHA256 | ef4f2b0284957337afe6a673734a5a4127fdbae9738a37d4490efec62dab7d95 |
| SHA512 | 02f21725df2d3bcb5786f78762572333327af0cd1c85fa3fe14839ce9ad2dec5b6604c80460764d285d9bd1612f45a22404cb4f24045b10d5075ff0df7fb7da5 |
memory/4664-14-0x00007FFDC39B3000-0x00007FFDC39B5000-memory.dmp
memory/4664-15-0x0000000000780000-0x000000000078A000-memory.dmp
memory/4664-16-0x00007FFDC39B3000-0x00007FFDC39B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkEM95aM09mQ.exe
| MD5 | 4a99afd6ed76b99078df204b18a8b896 |
| SHA1 | f31f5bc1af96226972ccb4f09f31e951bf8c8c50 |
| SHA256 | ef798a02a3eb5140e2cf2f4a5cc1baa245c94df5a355e26fb5e1371f7f832473 |
| SHA512 | 79d7fe86efd6624e78af1bdd89713ccf1a0de364ce87a1b1faa904643d5efe003e2083134cd99f78dde26c4587cee6fa8fa02153cbd24a452c49a1e95d94c6d4 |
memory/1504-22-0x0000000004B70000-0x0000000004BB6000-memory.dmp
memory/1504-23-0x0000000007510000-0x0000000007AB4000-memory.dmp
memory/1504-24-0x0000000007310000-0x0000000007354000-memory.dmp
memory/1504-34-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-36-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-88-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-86-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-84-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-82-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-80-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-78-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-76-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-74-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-72-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-70-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-68-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-66-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-64-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-62-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-60-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-56-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-54-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-52-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-50-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-48-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-46-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-44-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-42-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-40-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-38-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-32-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-30-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-28-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-58-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-26-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-25-0x0000000007310000-0x000000000734E000-memory.dmp
memory/1504-931-0x0000000007AC0000-0x00000000080D8000-memory.dmp
memory/1504-932-0x00000000080E0000-0x00000000081EA000-memory.dmp
memory/1504-933-0x0000000007440000-0x0000000007452000-memory.dmp
memory/1504-934-0x0000000007460000-0x000000000749C000-memory.dmp
memory/1504-935-0x00000000074B0000-0x00000000074FC000-memory.dmp