Analysis Overview
SHA256
cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459
Threat Level: Known bad
The file cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Detects Healer an antivirus disabler dropper
Redline family
Modifies Windows Defender Real-time Protection settings
Healer family
RedLine
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:50
Reported
2024-11-04 13:53
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe
"C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| RU | 185.161.248.153:38452 | tcp | |
| RU | 185.161.248.153:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe
| MD5 | b135c5aafc6f698d3819209c1998cbcc |
| SHA1 | 54b3000f8b4582dbb2aa954274031282b5815df0 |
| SHA256 | 7c9eef205b608b3216b932dd6a09414e5c64a3b21ae947d73f9d8fa9e8f5b873 |
| SHA512 | 6abe9bb3640fd548c14a71a11d5a6124de1b5fdd2f1a5047e0e772465574c6e8538b9c3a9760b33253ec8d53f458f94b943ab93cc0177e6f3d31c3bdf7b95d1a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe
| MD5 | 1f2c684ecbc4ef0453a865262c66f167 |
| SHA1 | 7329ce675fd6e3b96cf0fb63baac68d4e3e036fb |
| SHA256 | ad67265cd1bf45edafb01f0f4586700337e24ded4ccce461cd9c10e983af7180 |
| SHA512 | 3d6faac6dbd9bc2c8e4de5ad79e342db4ca6a383344ea4eac11b92adf142cae7d8d28f5d2a457b96aa7f6729c0d9d4e0876be220335539f4556f14a2ac5a2a73 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2076-21-0x00007FFDEECB3000-0x00007FFDEECB5000-memory.dmp
memory/2076-22-0x0000000000F00000-0x0000000000F0A000-memory.dmp
memory/2076-23-0x00007FFDEECB3000-0x00007FFDEECB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe
| MD5 | 2484f7748a014489a3348883e7b48b64 |
| SHA1 | 6503800588d01d32bdf38b5a0af633d0549314e0 |
| SHA256 | 8a33f8d7fdefd5bb3e437d12494ef58df6d433d46e4ed23e1a8ba4953724784b |
| SHA512 | 74fba93c01f1eaca433144407a808d86c5504f6c60aabf23cf20095d763887c368c97a381da8013ef0562bbccae494be80022f4404a12b930c8803210c9ed40a |
memory/1900-29-0x0000000007140000-0x000000000717C000-memory.dmp
memory/1900-30-0x0000000007180000-0x0000000007724000-memory.dmp
memory/1900-31-0x0000000007770000-0x00000000077AA000-memory.dmp
memory/1900-37-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-39-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-85-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-83-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-95-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-93-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-91-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-89-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-87-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-81-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-79-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-77-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-75-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-73-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-69-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-67-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-65-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-63-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-61-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-59-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-57-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-53-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-51-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-49-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-47-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-45-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-43-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-42-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-71-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-55-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-35-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-33-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-32-0x0000000007770000-0x00000000077A5000-memory.dmp
memory/1900-824-0x0000000009C80000-0x000000000A298000-memory.dmp
memory/1900-825-0x000000000A340000-0x000000000A352000-memory.dmp
memory/1900-826-0x000000000A360000-0x000000000A46A000-memory.dmp
memory/1900-827-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/1900-828-0x0000000006C70000-0x0000000006CBC000-memory.dmp