Analysis Overview
SHA256
087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab
Threat Level: Known bad
The file 087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Healer family
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Windows security modification
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 19:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 19:30
Reported
2024-11-06 19:32
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe
"C:\Users\Admin\AppData\Local\Temp\087eaf76a9ad78d803fb5f39fb1d71d7a7c12cce610f0d02e7e55571f5f4d8ab.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4824 -ip 4824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1196
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibZ7085.exe
| MD5 | 74aa2ad44fe5491a2d7e61661a6321b0 |
| SHA1 | cd5c2bee61309a95679d837b2e88ef0b568b720a |
| SHA256 | e2906e9d9ce43d1115378d82301ab91e870e38786879c92eafb46210dc5d4722 |
| SHA512 | bd42b4b27ae2f0770b0e9786c3ae66867b41af821963932eba21c577d6e71ce2875d87a93eb81d7597e25763a135b465d940fd8e7d9632b4f688fa3b974488bd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr592117.exe
| MD5 | 3398b5a0ee3eb29386841118072ca4eb |
| SHA1 | cf79d470d671e62b074199f9440feed369622bb8 |
| SHA256 | 6b314ae34b9179201548fe561aadd552d61f311130c4803a466eb149852d48ce |
| SHA512 | 0f51464c1aafd88cca49573164205f89f1a3143017e7d90cb3051fec7699905705dbaf2fb32bcb4d493108a12ac49b4ca6d8d0a0db68de7b9f320e15d44d0699 |
memory/3708-14-0x00007FFEF9B13000-0x00007FFEF9B15000-memory.dmp
memory/3708-15-0x0000000000110000-0x000000000011A000-memory.dmp
memory/3708-16-0x00007FFEF9B13000-0x00007FFEF9B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku902684.exe
| MD5 | 0468baa382c492bdd5efc88c64db448f |
| SHA1 | 744b7f792b42e061a485308999f88c1c9123d9d2 |
| SHA256 | 3c03072569ada984a766d2f8478f633cec6ed0922d9b53ef3a3dc42d96d72540 |
| SHA512 | f1795a2fcde7328515e1f8b3534764ee6509b4247677959fd7442aeb8b64a1df3978fae8f1ef21f3ac9d0b9fc3d54484df9a0648dce6c134a277c5f95b322de3 |
memory/4824-22-0x0000000002520000-0x0000000002586000-memory.dmp
memory/4824-23-0x0000000004E40000-0x00000000053E4000-memory.dmp
memory/4824-24-0x0000000002800000-0x0000000002866000-memory.dmp
memory/4824-26-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-34-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-88-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-86-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-82-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-80-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-78-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-76-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-74-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-72-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-70-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-68-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-66-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-62-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-60-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-58-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-56-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-54-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-52-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-50-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-48-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-46-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-44-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-40-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-38-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-36-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-32-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-30-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-28-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-84-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-64-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-42-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-25-0x0000000002800000-0x000000000285F000-memory.dmp
memory/4824-2105-0x0000000005560000-0x0000000005592000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/380-2118-0x00000000003B0000-0x00000000003E0000-memory.dmp
memory/380-2119-0x0000000002740000-0x0000000002746000-memory.dmp
memory/380-2120-0x000000000A760000-0x000000000AD78000-memory.dmp
memory/380-2121-0x000000000A250000-0x000000000A35A000-memory.dmp
memory/380-2122-0x000000000A160000-0x000000000A172000-memory.dmp
memory/380-2123-0x000000000A1C0000-0x000000000A1FC000-memory.dmp
memory/380-2124-0x0000000002530000-0x000000000257C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr015017.exe
| MD5 | 8eb8835e743254975c5da0444d46b809 |
| SHA1 | af0f9c7eae0a141fea88e329ad505914bab52e0d |
| SHA256 | b70b7da3d614c40fd0cf9a9ebf84b053bfe283eb033d21fb15a613868a53d857 |
| SHA512 | d3f957a2aa38cfc84fb714e671b85e06d40288e2283a38404c2c6d2e23cbe3c1a55c64f51340bfdaaab2cf1ef751ef77b990c6ee69e70268f4407c0187140034 |
memory/424-2129-0x0000000000DE0000-0x0000000000E10000-memory.dmp
memory/424-2130-0x0000000003270000-0x0000000003276000-memory.dmp