Analysis Overview
SHA256
ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7
Threat Level: Known bad
The file ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
Redline family
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer family
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 10:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 10:15
Reported
2024-11-05 10:18
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe
"C:\Users\Admin\AppData\Local\Temp\ec38fabe1959dae2c6e903cbfc7f2f301e38e2299ffebef209092ed1d77abcf7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 976 -ip 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1496
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDC0237.exe
| MD5 | 667a2a94999d2cd8b6d54811aa7faccd |
| SHA1 | 1bb13040b0928086190a4a09bb5a03ac3facdd21 |
| SHA256 | 2558e169e6987c0ab4f34e2d9757d50a26e61c26123849823015e634b9580a1d |
| SHA512 | a4211cf7d692710cc41e9f874262de5121ca0eeeb8e98dccfd6bde7fa84d86dc6a9f57e34618a522a13e5b4e65c78e7645a35edd4abb905f13e65aaf5bda6d7a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr077633.exe
| MD5 | 9eb3ae5c26191ad3573cbfaaf7dcca69 |
| SHA1 | 96a16c3eef1503917a2641251cc04d2b98d4fd78 |
| SHA256 | 972e2d58bb8bf6d37f4b1ba8137328e43715c46e6d46aab55faca7583714b80f |
| SHA512 | c307d56ccaf51d2b2567671269f4f3f922fe08ea13f4af523a9091c1d7522b884d271fe4bf0a430167884f0cdfbf9f433379da25e2a3da8a9224bd26019a15af |
memory/2764-14-0x00007FF8BDEF3000-0x00007FF8BDEF5000-memory.dmp
memory/2764-15-0x0000000000CB0000-0x0000000000CBA000-memory.dmp
memory/2764-16-0x00007FF8BDEF3000-0x00007FF8BDEF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku500600.exe
| MD5 | b876950c298c1444018cc05a55669788 |
| SHA1 | 002904ac99b8f64c9b51ab98ec4bbafc63d21aae |
| SHA256 | c6e2161532b7a9ddbdb47bfad69436667c85cc5f988deb57640a8c68bb3ebdf1 |
| SHA512 | e9950891dd329ba6111526dab186f7d069dff8becfffe057d1ccc8fea9178c09b33f5c3d2dd6030115c3ad901fd1c0949eff48565d9b3273ec472dae37c1ee0c |
memory/976-22-0x0000000002410000-0x0000000002476000-memory.dmp
memory/976-23-0x0000000004C80000-0x0000000005224000-memory.dmp
memory/976-24-0x0000000004AF0000-0x0000000004B56000-memory.dmp
memory/976-60-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-62-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-88-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-86-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-82-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-80-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-78-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-76-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-70-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-68-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-66-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-64-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-58-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-56-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-54-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-52-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-50-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-48-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-46-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-42-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-40-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-38-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-36-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-34-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-32-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-31-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-28-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-84-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-74-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-72-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-44-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-26-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-25-0x0000000004AF0000-0x0000000004B4F000-memory.dmp
memory/976-2105-0x0000000005400000-0x0000000005432000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/2636-2118-0x0000000000AB0000-0x0000000000AE0000-memory.dmp
memory/2636-2119-0x00000000012F0000-0x00000000012F6000-memory.dmp
memory/2636-2120-0x0000000005A40000-0x0000000006058000-memory.dmp
memory/2636-2121-0x0000000005530000-0x000000000563A000-memory.dmp
memory/2636-2122-0x0000000005440000-0x0000000005452000-memory.dmp
memory/2636-2123-0x00000000054A0000-0x00000000054DC000-memory.dmp
memory/2636-2124-0x00000000054E0000-0x000000000552C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr715200.exe
| MD5 | f66557bfc086d58caeaae8ff7427e860 |
| SHA1 | 7793733df47192e161acfdfaa73175d468d28059 |
| SHA256 | 264b439c5406abfde99054f9c032c10e308503becef0d63f6629a1c308bf5daa |
| SHA512 | 1fa6f58aee41623ab6f3c4f2f6726fdc44f8eda66a22d3ae7a5b556b27260e719cf194978febc2816897a2d44a88f2c24f94a1d991efce17347b173824a62cf7 |
memory/5172-2129-0x0000000000660000-0x0000000000690000-memory.dmp
memory/5172-2130-0x00000000010A0000-0x00000000010A6000-memory.dmp