Analysis Overview
SHA256
f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377
Threat Level: Known bad
The file f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer family
Redline family
RedLine
Windows security modification
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 00:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 00:54
Reported
2024-11-07 00:57
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe
"C:\Users\Admin\AppData\Local\Temp\f38516eb7b32d7161f2734254d7840086ab3c6c70a31e4e9534649ddb8263377.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1132 -ip 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1184
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziry1528.exe
| MD5 | bddef72ee2387bccb03840674c73bf59 |
| SHA1 | 6083c110bce76b84b826b7bfb1c31a76b1453397 |
| SHA256 | cb945f71becf147765c507a1b8dd035ad69064a7f8905bb4e3a20d12d8e4994b |
| SHA512 | aa618a9f2a2a0f43f511b575a9d4de729137e01a7af745ee086eee21bd2fe6225bb7708c1b72f5c7ca80acd07e0678a406f273b64327fa88fda455894f28ecb3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr576424.exe
| MD5 | aaf6b2789f35078e79e790a47f4ca9e1 |
| SHA1 | da53df13eae11a065840d9f6d22d0d87b80092f5 |
| SHA256 | cf78d8173926035b980dabb4cf474206ab90b822e0b600ca19949402640f3206 |
| SHA512 | 3151835cbab306a05333b702a7ecddcba0dd98e62fde40daa20d8dd15afa3467dd391dafca373e700e6a54921c5d8dd53fef59500453002d894e538b91a37666 |
memory/4564-14-0x00007FF867FA3000-0x00007FF867FA5000-memory.dmp
memory/4564-15-0x0000000000A80000-0x0000000000A8A000-memory.dmp
memory/4564-16-0x00007FF867FA3000-0x00007FF867FA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku828107.exe
| MD5 | 6dcc75827dc042246e63ea0fc2d9fb36 |
| SHA1 | 5dc61f99234156e6153709f4cc3bb520f055e149 |
| SHA256 | 551b7deb3521a31e6cd26466096b9deeb536368668487d2924c4bc457e3d2dfa |
| SHA512 | a99ea4081ff79fa8e6b76e32877ee32f7e3fac8258882b14f3bcc1e4d12eb4d64d5f9fc40b12021a69b7a9ec6d19db70276462050643478a8555e2ad63a1747c |
memory/1132-22-0x0000000002800000-0x0000000002866000-memory.dmp
memory/1132-23-0x0000000004DD0000-0x0000000005374000-memory.dmp
memory/1132-24-0x0000000002790000-0x00000000027F6000-memory.dmp
memory/1132-25-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-52-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-88-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-86-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-84-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-82-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-80-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-76-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-74-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-72-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-70-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-68-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-66-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-64-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-62-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-60-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-58-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-56-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-50-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-49-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-46-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-44-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-43-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-40-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-38-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-36-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-35-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-32-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-30-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-28-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-26-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-78-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-54-0x0000000002790000-0x00000000027EF000-memory.dmp
memory/1132-2105-0x0000000005540000-0x0000000005572000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/3424-2118-0x0000000000EB0000-0x0000000000EE0000-memory.dmp
memory/3424-2119-0x00000000015D0000-0x00000000015D6000-memory.dmp
memory/3424-2120-0x0000000005EC0000-0x00000000064D8000-memory.dmp
memory/3424-2121-0x00000000059B0000-0x0000000005ABA000-memory.dmp
memory/3424-2122-0x0000000005720000-0x0000000005732000-memory.dmp
memory/3424-2123-0x00000000058A0000-0x00000000058DC000-memory.dmp
memory/3424-2124-0x00000000058E0000-0x000000000592C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr615799.exe
| MD5 | 057c822caf3c0dd1e31c09a8ad6c0393 |
| SHA1 | 6770d652d30ce8229d9d0f6a5efcff9ef67b7be9 |
| SHA256 | d41f9f43f1df193508928b40495ed4f6125ce185b1ace5346d255b4c1c649168 |
| SHA512 | 4c7a5c28ed00bb13bd52d72ee349bbea23623653394e533d33060703c107cd8d5f890e90d25cba1a1a7ef8a199c570340731ee581d9c70e862d9a80c531e6c1c |
memory/5692-2129-0x0000000000950000-0x0000000000980000-memory.dmp
memory/5692-2130-0x0000000002B00000-0x0000000002B06000-memory.dmp