Analysis Overview
SHA256
56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66
Threat Level: Known bad
The file 56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Detects Healer an antivirus disabler dropper
RedLine
Redline family
RedLine payload
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 03:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 03:43
Reported
2024-11-05 03:46
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAW1879.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386004.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAW1879.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386004.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAW1879.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66.exe
"C:\Users\Admin\AppData\Local\Temp\56ffba53017f9a81d24cb445d03218344e4b6e42f6a6917dd740ce2d6b0bea66.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAW1879.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAW1879.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4188 -ip 4188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1380
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386004.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386004.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAW1879.exe
| MD5 | 52edf62a85f336c93431d0beca80ee0b |
| SHA1 | c670cf38094d9f484e82efc4ebf3a17a471eaa8c |
| SHA256 | 9a49e2ff40a5a84a5b86860f2e1cac5ff6ad93226a7f7a14fcf42b5690261103 |
| SHA512 | 7a5b7a600fef273c84da43c89a199ab4abebd10960fa51c8a4f8cec223257a257f912aab3e0e820c04755862cd5a2eb40a3a9d612c47ece94bf818897c0d3fcd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr968143.exe
| MD5 | f9021b5fa22d7149f5e560b8f2df5363 |
| SHA1 | ef9c558d1b157101155ddbbab42059d9f78641eb |
| SHA256 | de6963cce92e0f5ac6c5e40101eb230cc26ea41b7b476d6c59c254f3acdfc0e9 |
| SHA512 | 044311ab083dca824b510636ec0ba907b19163440e4238993bdfcedf6d67362795773550f4d79e8266dd3b68c19d0ab5e72836a83ef17c40fd0dd363a53a0b9f |
memory/1412-14-0x00007FF9DE053000-0x00007FF9DE055000-memory.dmp
memory/1412-15-0x0000000000D00000-0x0000000000D0A000-memory.dmp
memory/1412-17-0x00007FF9DE053000-0x00007FF9DE055000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku126287.exe
| MD5 | c027bd932cd178a942026f1643ad2a43 |
| SHA1 | 32ef69a0d903a097dac096efb2bdd76a93b27ded |
| SHA256 | 2315425fc0ff15a5e8e14e430ff6f431d469dfce93c939c034cf82f408f5e4ee |
| SHA512 | 0bd37d09020624f15c3f3b2b99d50b952057c6a1b4a4e57b6e163602162584aa817faf1bfdbd836962a93cc98ccdf8de84b8d458f22843512abf4ce48210fabe |
memory/4188-22-0x00000000024B0000-0x0000000002516000-memory.dmp
memory/4188-23-0x0000000004C20000-0x00000000051C4000-memory.dmp
memory/4188-24-0x00000000051D0000-0x0000000005236000-memory.dmp
memory/4188-76-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-88-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-86-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-84-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-82-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-80-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-78-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-74-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-72-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-70-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-68-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-66-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-64-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-60-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-58-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-56-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-54-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-52-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-50-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-48-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-44-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-42-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-40-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-38-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-36-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-32-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-31-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-28-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-26-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-63-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-46-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-34-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-25-0x00000000051D0000-0x000000000522F000-memory.dmp
memory/4188-2105-0x0000000005400000-0x0000000005432000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/3840-2118-0x00000000002F0000-0x0000000000320000-memory.dmp
memory/3840-2119-0x0000000002480000-0x0000000002486000-memory.dmp
memory/3840-2120-0x00000000052C0000-0x00000000058D8000-memory.dmp
memory/3840-2121-0x0000000004DB0000-0x0000000004EBA000-memory.dmp
memory/3840-2122-0x0000000004B60000-0x0000000004B72000-memory.dmp
memory/3840-2123-0x0000000004CE0000-0x0000000004D1C000-memory.dmp
memory/3840-2124-0x0000000004D20000-0x0000000004D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386004.exe
| MD5 | 569aff96fcd7e836c6111ebfc258f6e5 |
| SHA1 | ae096616e2863a94944c3e2fca2e78bdba2a78ee |
| SHA256 | a2a083f9fdcde462437c3b9a8874af670200533ab61d68d22e9b4887f7771f28 |
| SHA512 | dde9f6530163406691d703f4bf1355ff8c89eb69de764b10631ce1aa04ec52407edaad61fba6d5d6099e4a3dfeca3616f95efc6bfbb5653131dad0d73dae42e4 |
memory/6316-2129-0x0000000000DB0000-0x0000000000DE0000-memory.dmp
memory/6316-2130-0x0000000005590000-0x0000000005596000-memory.dmp