Analysis Overview
SHA256
8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60
Threat Level: Known bad
The file 8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Redline family
Healer family
RedLine
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:55
Reported
2024-11-04 13:57
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe
"C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe
| MD5 | 125fa5c5789c49b1ce0e3e4e7645ee87 |
| SHA1 | f6bd6dfeeb49ebbeae13799ecf1405d397220b44 |
| SHA256 | 21d28b430809d4c3a0b0d3be2c7f173b5a63ac77d85b7923a1f8080100d47930 |
| SHA512 | dfb0fd787d31f6ffcd36ea1fa430bae95736bb6f37a2a2e3f874848faae31890e61c5425c34b547e18dd2026a5c811e7be4cd6a6e29ccc0cd64026fbee5bc75b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe
| MD5 | e94f9ea238ec135bc3e19096e2d99c8d |
| SHA1 | d717cb6ab24295736f9ce4f33f6d855ec34b8280 |
| SHA256 | 7101073c4713ecf82757b83e7d89b9762bff9c90937049873c9cdd6b402537c2 |
| SHA512 | feb6075a1530969d8c78646100cc5f16bda1d86d1858db866b0aa202a0f0b0b95a9e4e145a5c2c6d7fddb1372049b108e9cd22498a97d041354d76b1841efeb7 |
memory/4856-14-0x00007FFEF60C3000-0x00007FFEF60C5000-memory.dmp
memory/4856-15-0x0000000000050000-0x000000000005A000-memory.dmp
memory/4856-16-0x00007FFEF60C3000-0x00007FFEF60C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe
| MD5 | a3afce4bbef63e71b31abf6a594ba3c6 |
| SHA1 | 554d5ebbbf3afa1650c4166c7da7b02e609c5ce9 |
| SHA256 | aa70250db464e51a950aae220664ea346c8028f13e8b3d95e25ca035079d9c28 |
| SHA512 | eabb19aa94955e23d84c36bc262da01544126eaed30c7af26c8563bb66736f6e078969b3acd4749e55b6515a3462480844833d47509857864a0256970b24bd39 |
memory/1648-22-0x0000000004D60000-0x0000000004DA6000-memory.dmp
memory/1648-23-0x0000000004DE0000-0x0000000005384000-memory.dmp
memory/1648-24-0x00000000053D0000-0x0000000005414000-memory.dmp
memory/1648-34-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-38-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-88-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-86-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-84-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-82-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-80-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-78-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-74-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-72-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-70-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-68-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-66-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-64-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-62-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-60-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-58-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-56-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-54-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-52-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-50-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-46-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-44-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-42-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-40-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-36-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-32-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-76-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-48-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-30-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-28-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-26-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-25-0x00000000053D0000-0x000000000540F000-memory.dmp
memory/1648-931-0x0000000005450000-0x0000000005A68000-memory.dmp
memory/1648-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp
memory/1648-933-0x0000000005C30000-0x0000000005C42000-memory.dmp
memory/1648-934-0x0000000005C50000-0x0000000005C8C000-memory.dmp
memory/1648-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp