Analysis Overview
SHA256
3a53c78e5c4fb5d4daa6865f0f2489ccd5516c199a94706d16fce0d0c3a261f6
Threat Level: Known bad
The file 3a53c78e5c4fb5d4daa6865f0f2489ccd5516c199a94706d16fce0d0c3a261f6 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Redline family
RedLine
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 11:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 11:19
Reported
2024-11-05 11:22
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1214.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr361975.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3a53c78e5c4fb5d4daa6865f0f2489ccd5516c199a94706d16fce0d0c3a261f6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1214.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1214.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr361975.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a53c78e5c4fb5d4daa6865f0f2489ccd5516c199a94706d16fce0d0c3a261f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a53c78e5c4fb5d4daa6865f0f2489ccd5516c199a94706d16fce0d0c3a261f6.exe
"C:\Users\Admin\AppData\Local\Temp\3a53c78e5c4fb5d4daa6865f0f2489ccd5516c199a94706d16fce0d0c3a261f6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1214.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1214.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1672 -ip 1672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1520
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr361975.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr361975.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1214.exe
| MD5 | 0da7919b653dd16e964bc4e882e148e0 |
| SHA1 | 5e12ec1eabd5c455006a6ebca675b1784f412293 |
| SHA256 | e637bfa88535b2c473616d6998905271eef2821eb4bad276972a796152119746 |
| SHA512 | 1e281708a3e98a871d014f6e1dcfb25e588e67b8893bec5ddeaafeac349040ce90d8cf176c647aaf0136e2b817d2f6f68fc68d0a1b5df67139e8c03bb2740f80 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr802602.exe
| MD5 | 757788c8f9d5245f4233cf2f7e0e2cf4 |
| SHA1 | 89c295c0ad8937a32db5bffa81baf41e3ef889f7 |
| SHA256 | 2116f0e36c4db11b8cb4f9e94f2e55e4ac2c58579c528210df40b0f031114644 |
| SHA512 | 8573e4c7df2bfa1d2fce4627e867b4605a76943daa1eec24e5ea11614a4b19f759351a8a338f4690d7ed7ef1d0921cc2e8cd8c02ab437ed01ea602486b207d45 |
memory/3740-14-0x00007FFBFABE3000-0x00007FFBFABE5000-memory.dmp
memory/3740-15-0x0000000000DA0000-0x0000000000DAA000-memory.dmp
memory/3740-16-0x00007FFBFABE3000-0x00007FFBFABE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku832013.exe
| MD5 | 1605dc546dcc15370c960c9a183503d3 |
| SHA1 | ec97c3f8f207d81b95bfc92ec6643044447b62b2 |
| SHA256 | 752c966df8efa7ebd8b663c87f667ea62a5ad0cb60429e68af5f9fb708f4a80c |
| SHA512 | 2e59c2f37c8a0bd6514c248da42ebd5331bd27cab3704f77d46f5f615c38eab32bffeb196e551324d464d4e8143b55f58b67bcac2db9023c28f7123d3ea52d25 |
memory/1672-22-0x00000000021D0000-0x0000000002236000-memory.dmp
memory/1672-23-0x0000000004D60000-0x0000000005304000-memory.dmp
memory/1672-24-0x00000000024A0000-0x0000000002506000-memory.dmp
memory/1672-25-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-28-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-80-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-88-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-86-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-84-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-82-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-78-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-76-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-74-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-72-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-70-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-68-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-66-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-64-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-62-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-58-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-56-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-54-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-52-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-50-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-48-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-46-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-44-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-42-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-40-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-38-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-36-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-32-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-30-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-26-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-60-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-34-0x00000000024A0000-0x00000000024FF000-memory.dmp
memory/1672-2105-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/2380-2118-0x00000000008E0000-0x0000000000910000-memory.dmp
memory/2380-2119-0x00000000051C0000-0x00000000051C6000-memory.dmp
memory/2380-2120-0x0000000005850000-0x0000000005E68000-memory.dmp
memory/2380-2121-0x0000000005340000-0x000000000544A000-memory.dmp
memory/2380-2122-0x0000000005260000-0x0000000005272000-memory.dmp
memory/2380-2123-0x00000000052C0000-0x00000000052FC000-memory.dmp
memory/2380-2124-0x0000000005450000-0x000000000549C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr361975.exe
| MD5 | 1ca4ed6e2fb6843feb795a373ab79082 |
| SHA1 | 76217cac1c909c5a4db472cba970fe09af730885 |
| SHA256 | fe4f1ea635d83ed50e125c3bccb504fa5f370a19a04809b6b7e4d3d4879f66f6 |
| SHA512 | a6aec90f7f89c62f80171aac3c6aeb4469f2a0e41f0f6b5165e670cd21d3ebae223ce9f44ad4f32850d83179bf3e646dfd9ec3dd56918b3f435c4126da6c66f1 |
memory/4932-2129-0x0000000000E60000-0x0000000000E90000-memory.dmp
memory/4932-2130-0x0000000003230000-0x0000000003236000-memory.dmp