Analysis Overview
SHA256
159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6
Threat Level: Known bad
The file 159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Detects Healer an antivirus disabler dropper
Redline family
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Windows security modification
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 18:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 18:45
Reported
2024-11-05 18:47
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe
"C:\Users\Admin\AppData\Local\Temp\159dcf3aedb78137b0bab23d455c10951d4225cbf853851ed37684bc3cd09ef6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1504
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIp4234.exe
| MD5 | 9b730d4e9d4f97c0f68ebb4e7cc33499 |
| SHA1 | 0a19f6c93dec9223cb61f1f5f7bd2a6cb2d53de1 |
| SHA256 | 88f789c97469a9ca125d21e3ca11ef8e1603d8d98d4cc2fc2a1341848ecd4b99 |
| SHA512 | cc0198d6639b37eb6b61e0fda065110aa60837a737886aed0b5c1f7ad7849180387a7fcfe7c6468d43e99ce63b6cc194e72d4ab20ed1d29e2182ec06b8c93cf0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr740821.exe
| MD5 | 6738eac5b0f1682e8a405fe64bf387ea |
| SHA1 | 3869baf9b30f7db69d54a140db40a890f40fad98 |
| SHA256 | 1fcd924e520106664ed759924eb74819828823ce1d13a6ec47604f67fa69e15c |
| SHA512 | 54940ba5013689b9fe7b97feb93d19341800a13cd3de07636834666e667b67f64baaab442578070c08cac9ebb0425c71ff23f14549829b2dccd4784009c5949c |
memory/4176-14-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp
memory/4176-15-0x0000000000C70000-0x0000000000C7A000-memory.dmp
memory/4176-16-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425116.exe
| MD5 | 4848af8c07a3dc5b75097ec73fe1a289 |
| SHA1 | 0a018ec3cda318e097247a070e82cd1b13457660 |
| SHA256 | 04871282c00f10501fdee9b7937fcc3eb7a495edf3cf97128c0a104cfe296b29 |
| SHA512 | f5635c39b6c2e9cd00c97ffd5f20ce5aa30cb63b09be0ddef6d7fd72070599c3d53388ffbf67afdfdf9de8515082ab6c56583bfe942fa50dcc40face07cf14fd |
memory/3568-22-0x00000000025F0000-0x0000000002656000-memory.dmp
memory/3568-23-0x0000000004C10000-0x00000000051B4000-memory.dmp
memory/3568-24-0x00000000051C0000-0x0000000005226000-memory.dmp
memory/3568-26-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-40-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-88-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-86-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-84-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-82-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-80-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-76-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-74-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-72-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-70-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-68-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-66-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-64-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-62-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-60-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-58-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-56-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-54-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-50-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-48-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-46-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-44-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-42-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-38-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-36-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-34-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-32-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-30-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-28-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-78-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-52-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-25-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/3568-2105-0x0000000005400000-0x0000000005432000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/2664-2118-0x0000000000BB0000-0x0000000000BE0000-memory.dmp
memory/2664-2119-0x0000000002F00000-0x0000000002F06000-memory.dmp
memory/2664-2120-0x0000000005AE0000-0x00000000060F8000-memory.dmp
memory/2664-2121-0x0000000005600000-0x000000000570A000-memory.dmp
memory/2664-2122-0x0000000005530000-0x0000000005542000-memory.dmp
memory/2664-2123-0x0000000005590000-0x00000000055CC000-memory.dmp
memory/2664-2124-0x0000000005710000-0x000000000575C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr467122.exe
| MD5 | 740c8cc1da1e6c3a2db7551e24219cc6 |
| SHA1 | ae2036ad907706ee3fb57eeae5f3f1d719ebe913 |
| SHA256 | 073cf5511f27d66a1c59c901566a7b4982c95d564daf96846554cce9abcb0e65 |
| SHA512 | b5504301eeef51aa80463a2947d1afd1b64d7baf04480ecc68cb88f38f5e94994e412bfb13fef62dfa8d50c5173e71feb77c01aa3687ea3fab8d400b88d27107 |
memory/400-2129-0x0000000000400000-0x0000000000430000-memory.dmp
memory/400-2130-0x0000000002460000-0x0000000002466000-memory.dmp