Analysis Overview
SHA256
d60b4418c969bf7ebddfa3032b04fa6cb53d5877140e8afe91c8c25155c72841
Threat Level: Known bad
The file d60b4418c969bf7ebddfa3032b04fa6cb53d5877140e8afe91c8c25155c72841 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Healer
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 10:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 10:55
Reported
2024-11-06 10:57
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCc3078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr940043.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d60b4418c969bf7ebddfa3032b04fa6cb53d5877140e8afe91c8c25155c72841.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCc3078.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr940043.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d60b4418c969bf7ebddfa3032b04fa6cb53d5877140e8afe91c8c25155c72841.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCc3078.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d60b4418c969bf7ebddfa3032b04fa6cb53d5877140e8afe91c8c25155c72841.exe
"C:\Users\Admin\AppData\Local\Temp\d60b4418c969bf7ebddfa3032b04fa6cb53d5877140e8afe91c8c25155c72841.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCc3078.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCc3078.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3520 -ip 3520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 988
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr940043.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr940043.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCc3078.exe
| MD5 | 6b3244737e5d6196ec98607996540c84 |
| SHA1 | ff257560e7b2fc9ef4ff3a707c4181fa17fc7a5e |
| SHA256 | fef27fffbdd5b07c409de290fdcd809154bd36e789c95e7a9ed3850135e1fb20 |
| SHA512 | c4a446ba309e28d9efc9fbcb1f1ab75438132f234e7d31d28eae74bec5b64d07f3db821727aae2a6afdd74bd1aa6990dc8bd4106733e908cea1ba9670623bb5a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr451866.exe
| MD5 | db8a347bb5ceef29d6ad153a64dc2e90 |
| SHA1 | dcf12126d9dbaa83c8f398b7793605769030430b |
| SHA256 | 9f6c8fa2b1e85c1fd38054cebad87a7815d083f53e2f0e2fd33030461c556744 |
| SHA512 | a61ee054bb2ac7dad600af3901e6de1b93ac595dcfd72617493f0d3e4c6defdab2b8548d2edda0d5ed48f32ceb70faf44e7cccb06cf4c99ba919031ace31b295 |
memory/3980-14-0x00007FFE30323000-0x00007FFE30325000-memory.dmp
memory/3980-15-0x0000000000E00000-0x0000000000E0A000-memory.dmp
memory/3980-16-0x00007FFE30323000-0x00007FFE30325000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku966481.exe
| MD5 | 63b5e01623eba00d835e1678a760d731 |
| SHA1 | 6e8be88f427498f2ca884f3bf38d71e65d380df1 |
| SHA256 | 974ce6acd4c1aae7ef388012134f2c8d06508a9b67ea6a7d16fee3340d284409 |
| SHA512 | e33902086f9246dd856bf989a9536150a1c88ad56371e492e415e5198c26e1072430ae857266ee848d57553c6cd4b53e7a170609953b7a913eecd552df043a77 |
memory/3520-22-0x0000000004AB0000-0x0000000004B16000-memory.dmp
memory/3520-23-0x0000000004C40000-0x00000000051E4000-memory.dmp
memory/3520-24-0x0000000005230000-0x0000000005296000-memory.dmp
memory/3520-30-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-42-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-88-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-86-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-84-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-82-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-80-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-78-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-74-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-72-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-70-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-68-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-66-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-64-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-62-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-60-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-58-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-56-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-52-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-50-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-48-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-46-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-44-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-40-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-38-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-36-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-34-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-32-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-28-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-76-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-54-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-26-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-25-0x0000000005230000-0x000000000528F000-memory.dmp
memory/3520-2105-0x0000000005420000-0x0000000005452000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/5332-2118-0x0000000000A30000-0x0000000000A60000-memory.dmp
memory/5332-2119-0x0000000002CE0000-0x0000000002CE6000-memory.dmp
memory/5332-2120-0x00000000059E0000-0x0000000005FF8000-memory.dmp
memory/5332-2121-0x00000000054D0000-0x00000000055DA000-memory.dmp
memory/5332-2122-0x00000000053C0000-0x00000000053D2000-memory.dmp
memory/5332-2123-0x00000000053E0000-0x000000000541C000-memory.dmp
memory/5332-2124-0x0000000005460000-0x00000000054AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr940043.exe
| MD5 | 9d6a6642cfc8061a44cfbf95f3fe85bf |
| SHA1 | e93ebe7ff2bfc8e1d9aa19ecbae635aa9a3dd2ca |
| SHA256 | 9bdc5fd6463d0ae66566477a9760be4da79f2a44577b73c2247f64bde9d0c9c8 |
| SHA512 | 0262d0bb702fe134178d8cf86d43188ebb543245acbcbb99d3ea5c5647a69991a805f89c34405a0ac9914226962fbdf4493cebc284e82161ed61f8f4833715c8 |
memory/876-2129-0x0000000000BB0000-0x0000000000BE0000-memory.dmp
memory/876-2130-0x0000000002D40000-0x0000000002D46000-memory.dmp