Analysis Overview
SHA256
26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6
Threat Level: Known bad
The file 26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Healer family
Healer
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:34
Reported
2024-11-13 20:37
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe
"C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.24:4123 | tcp | |
| RU | 193.233.20.24:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe
| MD5 | 1a29062a3b6ecfb1e0e15146e3f4a0f0 |
| SHA1 | f7ca636a88707be0daa090e81abd991d3e85a15c |
| SHA256 | 755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9 |
| SHA512 | 7c3b557c47c254daef57c31209e25b1ce329d2829abaea20a259fd6dc2124b3ca45c7ef3037b7e6fda75bdcc418841296748d7206eb7b759bb3f95d125cda885 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe
| MD5 | be704dd2becfc994a21d58a33e93ba97 |
| SHA1 | b9b42f262eb32e4d3cb9fc1fc40cfcf87b62c87c |
| SHA256 | 39d10d316230362d345728bc995a0710205b1e011d14a06cab138f7a2b066c1c |
| SHA512 | 41e1978648ae815d1a86c1c9b4dd47ee236acff24dc43c428ed91dc70d04035514c17aa76308fc4cd1e7bd7ac4c5240f3df6f445c1b10ee7c9e8922c0cffbc46 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe
| MD5 | 595012eba8deca6530704fd09b6d27b6 |
| SHA1 | ec095c60658465fba60d326545a24460bed0875d |
| SHA256 | a497a6c1cbe29e984eb2b74a7ffd4df3e9fc7e1cec9dbed4703edc6bf679dbc4 |
| SHA512 | d3dc363c2180669d25237f2475c9eb9914c8b97cf4b3fa4f4f01202e1272fe2dafced4fe582a3a8bcfa18c3b6690ded1709e6de13749d7a14f7f51b0250832c5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe
| MD5 | fb801db9f05b95fd3db16a4d59c6e346 |
| SHA1 | 3635ac9b4370430de1b9d709672a1014050bcd67 |
| SHA256 | e2d6e7b34ab435e695604014b09678344d950997b922bed43888cf388db73426 |
| SHA512 | a12d5995484fe9a3f02e7187d19d5ada35b4065198593b833c52dfbfbae870a232b12a36789789d44690ff017ba689107ca31606b0026ba2b5f80350402d6089 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe
| MD5 | 6fc39149b0ad5a9cc8f325e78d2c1d45 |
| SHA1 | d07a1d90a20a80c0ac215d3bb30f9311481e3d86 |
| SHA256 | 4465c8a76b5fdf1f2cd4a4bf81397e6366ede4f0333933e2474e380fd21c1301 |
| SHA512 | e44629576500f40ee9431f0ccc57a313f88496084bb2c4b54124ba46fe23d2f8afc7046c5443966a6f0d6ad69ec8fd7aa2ab0312a1a2873d85c824670bd6c486 |
memory/944-35-0x00000000007E0000-0x00000000007EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe
| MD5 | 5b4052ee747278a02dac44898f59aaee |
| SHA1 | 6b59810f74916a6921ea2276b57b6f5f61c79654 |
| SHA256 | baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80 |
| SHA512 | 9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23 |
memory/4228-41-0x0000000002630000-0x0000000002676000-memory.dmp
memory/4228-42-0x0000000004DD0000-0x0000000005374000-memory.dmp
memory/4228-43-0x0000000002820000-0x0000000002864000-memory.dmp
memory/4228-45-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-44-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-61-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-107-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-105-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-103-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-101-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-99-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-97-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-95-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-93-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-91-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-89-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-87-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-85-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-83-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-81-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-79-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-77-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-75-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-73-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-71-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-67-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-65-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-63-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-59-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-58-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-55-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-54-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-51-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-49-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-47-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-69-0x0000000002820000-0x000000000285E000-memory.dmp
memory/4228-950-0x0000000005380000-0x0000000005998000-memory.dmp
memory/4228-951-0x0000000004C80000-0x0000000004D8A000-memory.dmp
memory/4228-952-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/4228-953-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/4228-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp