Analysis Overview
SHA256
2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7
Threat Level: Known bad
The file 2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine payload
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
Detects Healer an antivirus disabler dropper
Healer family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:23
Reported
2024-11-13 20:26
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe
"C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
| MD5 | 81695a25572f9b04f59a40e9255436e9 |
| SHA1 | d3c0e748f96d847e21343e32258bfefa92639b62 |
| SHA256 | e43217264dce9e9e706f490764a84e54ad3137e7c11257e539011f47a8b5c510 |
| SHA512 | d588355a7018e86b3895da68add882e4c2bce7a58a48ff38fb9f2b839333923f7badcf006705ee2b56741e37bb22aef31de4740f0104b707e2c5e6131e226878 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
| MD5 | a8fa8b5b703cd4a989ebe6d3db1cc979 |
| SHA1 | a2fa8e852ce71c8a30d8b169b0f3e353e63385f3 |
| SHA256 | 4fa8e60aa9a1518ecb06e8f4175024c4c4c619a84e1873806c43e2042e38cd85 |
| SHA512 | 98064a4eae9de3c9dd66979991c36027afbfda471ba5d86b4b3bea0a7eea1ab434924d67a37c83ca2493dd41ab316a4bbff2a9e6cac9c01222e1935a0c1d9fef |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
| MD5 | 6dddc4eed66aeae399550478f80ceccd |
| SHA1 | 5a394c340ef198966e44a541824f0c743ff857e9 |
| SHA256 | a431548c5449115dc12c53266da5294f606369066f03d93efc87c2f4d3ccb44c |
| SHA512 | 8c0cdd158dc94c36e96e4baed5008b1de334dd7a7490490978154cc8b2843435b1c9f682c01b60162a0106c0329b9f19775bf0bc68b91af2360f62af8c772c1d |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
| MD5 | 29fc7e4116d91cfa05827b9d438b0762 |
| SHA1 | 3e4a5ecd904af4e6178c03d8bbe4fde231acd741 |
| SHA256 | e507f88f40fa5a08de94652d237f07fca16bc762af44bc9618812405f6af539d |
| SHA512 | fc1995e59743f32d4dad2fda56ae13015c8ede26abd07602904f686022e7ab89de095d174854615bfcb64f25d22cc17dd6c4329882e3daa9f880424e0eb90e97 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2024-35-0x0000000000100000-0x000000000010A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
| MD5 | 1b19fb007cece0cb3086c05822851636 |
| SHA1 | b595026b70930eb8642ff1506f1516ac28d772f2 |
| SHA256 | eed41f31904040aa00292202a481d7fbedad4af7cb2edb54bc24ccf3b928b8df |
| SHA512 | 8416b777a0786a5e97c6150cfb6b038c39b8478a6d87f1d4f516d0aba3f094237b1348b9febb848a13b009239423575469bace06c0638befe1210232ae3a965c |
memory/4816-41-0x0000000004BB0000-0x0000000004BEC000-memory.dmp
memory/4816-42-0x0000000007350000-0x00000000078F4000-memory.dmp
memory/4816-43-0x0000000004C30000-0x0000000004C6A000-memory.dmp
memory/4816-75-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-79-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-107-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-105-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-103-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-99-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-97-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-96-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-91-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-89-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-87-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-83-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-81-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-77-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-73-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-69-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-67-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-65-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-63-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-61-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-59-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-57-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-55-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-53-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-51-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-101-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-93-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-85-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-71-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-49-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-47-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-45-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-44-0x0000000004C30000-0x0000000004C65000-memory.dmp
memory/4816-836-0x0000000009C80000-0x000000000A298000-memory.dmp
memory/4816-837-0x000000000A330000-0x000000000A342000-memory.dmp
memory/4816-838-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/4816-839-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/4816-840-0x0000000004B00000-0x0000000004B4C000-memory.dmp