Analysis Overview
SHA256
888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1
Threat Level: Known bad
The file 888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Healer family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 15:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 15:34
Reported
2024-11-06 15:36
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe
"C:\Users\Admin\AppData\Local\Temp\888308e45baa19e78da1909d01e00a68d538845a37cf5a109c0a9c0ebcca57a1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 984 -ip 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1520
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF3380.exe
| MD5 | 29510d025d8e9e46d628898e2e434fb1 |
| SHA1 | 161c86db7f89ccac724d2b55664a0f30fe1cc59c |
| SHA256 | ec166d6a137a963cecd9bad6a03cae6e675bdb98181c246c252e56c51e95c440 |
| SHA512 | a2454bf9306cfde8ca70982a38d462aeca25fb21f0c74d33de3971552adfdfb676caf44adc33bdc06d93943f8023c63e8a5cf69f88d91732a180a03785e29a51 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr558241.exe
| MD5 | 73397f266a43391d786838a8438493ef |
| SHA1 | ef22bc8d6608805b21f79d52deedfc1baf1842a2 |
| SHA256 | f103dbef491a7beef6e2f6e3ca0fa413dc16e8c136ef4683b782adc7da21f3dd |
| SHA512 | 3d8597bb915c6a1ce9365194b83c4c6c1719424a383e4797257b8ea1e10d9d8eae433965714db958bc37e08809fe68d0e6386a766a6ca06026af03e2573438da |
memory/2892-15-0x0000000000F80000-0x0000000000F8A000-memory.dmp
memory/2892-14-0x00007FF8FC283000-0x00007FF8FC285000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195123.exe
| MD5 | 9bab8c67ca17076317b5b1b0672b428a |
| SHA1 | ad0a841eb1e8bfe01728aad97fc4ab623872813e |
| SHA256 | 56a5790464c8f55e59a60548479a4a3cfe621f7edc20ac79a959042c41cdb92b |
| SHA512 | 6cd85cde9c8c62a1bb93188d1dfd5f8eeebab74108d36a38666c05f2980a4d07bf8ffc4c689bf5d8e2306c444f9265765fce1c966916a7d0ab87cbf7e898dd86 |
memory/984-21-0x00000000024F0000-0x0000000002556000-memory.dmp
memory/984-22-0x0000000004D20000-0x00000000052C4000-memory.dmp
memory/984-23-0x0000000002800000-0x0000000002866000-memory.dmp
memory/984-87-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-85-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-83-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-81-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-77-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-73-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-71-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-69-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-68-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-65-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-61-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-57-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-55-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-53-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-51-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-47-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-43-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-41-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-39-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-37-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-35-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-31-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-27-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-25-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-79-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-75-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-63-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-59-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-49-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-45-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-33-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-29-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-24-0x0000000002800000-0x000000000285F000-memory.dmp
memory/984-2104-0x0000000002890000-0x00000000028C2000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/6028-2117-0x0000000000070000-0x00000000000A0000-memory.dmp
memory/6028-2118-0x00000000008F0000-0x00000000008F6000-memory.dmp
memory/6028-2119-0x000000000A4A0000-0x000000000AAB8000-memory.dmp
memory/6028-2120-0x0000000009F90000-0x000000000A09A000-memory.dmp
memory/6028-2121-0x0000000002640000-0x0000000002652000-memory.dmp
memory/6028-2122-0x0000000009E80000-0x0000000009EBC000-memory.dmp
memory/6028-2123-0x0000000000860000-0x00000000008AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr918942.exe
| MD5 | dbc1a106c3db5e1aba72111e14999cb6 |
| SHA1 | c71b410f458314a9a4d0d6d443fbea215d4d1b84 |
| SHA256 | 53c9c4ec0862154430e3085718e274c05e99b05d945fcc3f62c8890ebc7558ed |
| SHA512 | aa0e084c6bc97dc8c4f56a2e29505cfcb3439bc3cab7dac59d5cb0dd70a23badbb73cdbd8522aae2b2ce0f11d1417390ad8847699fefcd5fcf9fb0eaee7ef091 |
memory/6096-2128-0x0000000000E10000-0x0000000000E40000-memory.dmp
memory/6096-2129-0x0000000001700000-0x0000000001706000-memory.dmp