Analysis Overview
SHA256
7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328
Threat Level: Known bad
The file 7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
Healer
RedLine payload
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 01:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 01:17
Reported
2024-11-05 01:20
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe
"C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1488 -ip 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1384
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe
| MD5 | 14f9619adcb5baf1e03e8bba22560e3c |
| SHA1 | 79051b8b5c5291a7940c9a050019a42dfb7d690e |
| SHA256 | 18892464729d99c957424a44cd3f4b3e7607d4cd4742774a1e4c92c0e17408f5 |
| SHA512 | 1f3faf31272368251128ae8fffc21da1849ee1f0c9df3f735f677c216731e87fa6a64f6cd3f033f8d849d68fdfe520b17bb889cec43c69da6a12896ef987b504 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe
| MD5 | b0ef59c7ee273bf901a526a871145e7d |
| SHA1 | 2b41b0b7963e72771a40343864b6a4a6af0ef4af |
| SHA256 | cecca4676de5f90d4386e33f74ab745614252cb7927e8c5e0facfe193e54b9f0 |
| SHA512 | d3895715d1eb4552b3095b653de27d320e4c3f9c438bec6d5e846a971dedc508b467617900286932f9c24820a89ae521dadd91e428a1cf6c830e7df14eb3937f |
memory/3540-14-0x00007FF896E63000-0x00007FF896E65000-memory.dmp
memory/3540-15-0x00000000006F0000-0x00000000006FA000-memory.dmp
memory/3540-16-0x00007FF896E63000-0x00007FF896E65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe
| MD5 | b2a92ecdaa070bb49d8af09c57a201cf |
| SHA1 | ad3c21d3342d5231c44f8522109513f39bc41841 |
| SHA256 | 40740f95d3481044d95d2ff664142ba91d25cf367e79ee41de44ddc4dcaa3c65 |
| SHA512 | 78a40ef56fe11ec2e2cdd02762d1b297f7f680c567b156b3ae3688e71b9cab471728bf1dc6aa0ecff8c1c26057f0eed27e8dce7da06c059fa17ba6fdb401a451 |
memory/1488-22-0x00000000025B0000-0x0000000002616000-memory.dmp
memory/1488-23-0x0000000004CE0000-0x0000000005284000-memory.dmp
memory/1488-24-0x0000000004C20000-0x0000000004C86000-memory.dmp
memory/1488-46-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-44-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-88-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-86-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-84-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-82-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-80-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-76-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-74-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-72-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-70-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-68-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-66-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-64-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-60-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-58-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-56-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-54-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-52-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-50-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-48-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-43-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-40-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-38-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-36-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-34-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-32-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-30-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-28-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-78-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-62-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-26-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-25-0x0000000004C20000-0x0000000004C7F000-memory.dmp
memory/1488-2105-0x0000000005400000-0x0000000005432000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/6692-2118-0x0000000000110000-0x0000000000140000-memory.dmp
memory/6692-2119-0x0000000000890000-0x0000000000896000-memory.dmp
memory/6692-2120-0x0000000005120000-0x0000000005738000-memory.dmp
memory/6692-2121-0x0000000004C10000-0x0000000004D1A000-memory.dmp
memory/6692-2122-0x0000000004980000-0x0000000004992000-memory.dmp
memory/6692-2123-0x0000000004B00000-0x0000000004B3C000-memory.dmp
memory/6692-2124-0x0000000004B40000-0x0000000004B8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe
| MD5 | 94a65fdc965bc3f25db8c82d1ad09edb |
| SHA1 | fe44beb0b33f448380d0391a5cd47fad0158128c |
| SHA256 | 71c68dcc5a07eec0c3300e4a06c949b84a4cc8be62fb6725f398a4366587bc54 |
| SHA512 | 737ba4376d46a0f936dbd18df2beb05977383781b6e26202e9ce36e39d5eaf1f44511c18ccb3e96e0fe6a193a1bf12e99ad164d30daae23a2e864042080d0907 |
memory/6904-2129-0x0000000000B40000-0x0000000000B70000-memory.dmp
memory/6904-2130-0x0000000002E30000-0x0000000002E36000-memory.dmp