Analysis Overview
SHA256
6ccf1c5e23eccf909c931c916d6df0185db7f0275887bbb610e93e7aa299280a
Threat Level: Known bad
The file 6ccf1c5e23eccf909c931c916d6df0185db7f0275887bbb610e93e7aa299280a was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer family
Healer
Redline family
RedLine
Executes dropped EXE
Checks computer location settings
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 13:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 13:21
Reported
2024-11-06 13:23
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBI6216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816756.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6ccf1c5e23eccf909c931c916d6df0185db7f0275887bbb610e93e7aa299280a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBI6216.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ccf1c5e23eccf909c931c916d6df0185db7f0275887bbb610e93e7aa299280a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBI6216.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816756.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ccf1c5e23eccf909c931c916d6df0185db7f0275887bbb610e93e7aa299280a.exe
"C:\Users\Admin\AppData\Local\Temp\6ccf1c5e23eccf909c931c916d6df0185db7f0275887bbb610e93e7aa299280a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBI6216.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBI6216.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1524
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816756.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816756.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBI6216.exe
| MD5 | f3c9623e26fa705be652ccabeacde89f |
| SHA1 | 87c9b9c06e84ab26869c148a3e46e7d452aeb3b7 |
| SHA256 | 29eb38765be52af964270c7b6698e498a014bc10ec4fa64a86a169607ac75c0e |
| SHA512 | 401d1ecc64022bdade92061a8ae11482cb0e0300a3e5cfcf164281afc157f5b826444fb1fe4110601c87c007df85f313063b57f9aef97af8e5dad2686d3efd43 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr056926.exe
| MD5 | b6d8535a4f01ee6353c1fc97729653b4 |
| SHA1 | 46e8d22093f14941d719b0fd45ab255348de1cc0 |
| SHA256 | 9764feb210d842bff640df3b406c99fe77492c0ee4cbfc22dd60d648b0ef8c1c |
| SHA512 | 732deb510f1bbf920f039311732aebc673771730b04c67a565210aaabccce4b10497863fb1599bfe320ca1a0d2964f4414b5c76f577abf840568b6b8a54d3c3a |
memory/2040-14-0x00007FF8E7EE3000-0x00007FF8E7EE5000-memory.dmp
memory/2040-15-0x0000000000F30000-0x0000000000F3A000-memory.dmp
memory/2040-16-0x00007FF8E7EE3000-0x00007FF8E7EE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku961519.exe
| MD5 | 23ff891ed71f0a0884f4bcd9e2279c0c |
| SHA1 | 59b0095a1702797e6970ddf7c1128f014c4c62d0 |
| SHA256 | c7c6f40316975137a404a90aac4a5311b6ab5ad91301425a7e571d6ab468a4bd |
| SHA512 | 33254692ef964ad0ca4d55aa6ba76287723ec821a78c2336f274dd2d99e207c4c986158eef4441e1512b928131ad6782c8924d1a3fc80aadc095cdc7d5c94bab |
memory/4276-22-0x0000000004CA0000-0x0000000004D06000-memory.dmp
memory/4276-23-0x0000000004D10000-0x00000000052B4000-memory.dmp
memory/4276-24-0x0000000005300000-0x0000000005366000-memory.dmp
memory/4276-42-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-88-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-86-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-84-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-82-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-80-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-78-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-76-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-74-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-72-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-68-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-66-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-64-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-62-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-60-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-58-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-56-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-54-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-52-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-48-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-46-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-44-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-40-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-38-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-36-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-34-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-32-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-30-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-28-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-71-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-26-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-50-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-25-0x0000000005300000-0x000000000535F000-memory.dmp
memory/4276-2105-0x0000000005540000-0x0000000005572000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/1444-2118-0x0000000000D20000-0x0000000000D50000-memory.dmp
memory/1444-2119-0x0000000005640000-0x0000000005646000-memory.dmp
memory/1444-2120-0x0000000005CA0000-0x00000000062B8000-memory.dmp
memory/1444-2121-0x0000000005790000-0x000000000589A000-memory.dmp
memory/1444-2122-0x00000000056A0000-0x00000000056B2000-memory.dmp
memory/1444-2123-0x0000000005700000-0x000000000573C000-memory.dmp
memory/1444-2124-0x00000000058A0000-0x00000000058EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr816756.exe
| MD5 | a37f1aeb7d6d9342a86bc1a4bca4d896 |
| SHA1 | f769ac40cee86f6e72f22b276d7d9d469c2557d8 |
| SHA256 | d78089baaaffe4f566b4711e1ed9c78870cc2b11c9eec515afaf73454eb8acc6 |
| SHA512 | 0ece535b73a57dea82c89b3e25ea6dba5ee96830d911205fbc72059205e2b1ed31f8d779b00f72b0f4030694e680612ee6c4c4e4c4d6a630251a6bb501ae5dc4 |
memory/5856-2129-0x00000000006D0000-0x0000000000700000-memory.dmp
memory/5856-2130-0x0000000002AA0000-0x0000000002AA6000-memory.dmp