Analysis Overview
SHA256
5625c8ab283b5a80395b73024d535269aa3c08c8392f160d8d8b7cbb001f35fb
Threat Level: Known bad
The file 5625c8ab283b5a80395b73024d535269aa3c08c8392f160d8d8b7cbb001f35fb was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer
Redline family
Detects Healer an antivirus disabler dropper
Healer family
RedLine
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Launches sc.exe
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 04:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 04:56
Reported
2024-11-07 04:59
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2904.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr322212.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5625c8ab283b5a80395b73024d535269aa3c08c8392f160d8d8b7cbb001f35fb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2904.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5625c8ab283b5a80395b73024d535269aa3c08c8392f160d8d8b7cbb001f35fb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2904.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr322212.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5625c8ab283b5a80395b73024d535269aa3c08c8392f160d8d8b7cbb001f35fb.exe
"C:\Users\Admin\AppData\Local\Temp\5625c8ab283b5a80395b73024d535269aa3c08c8392f160d8d8b7cbb001f35fb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2904.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2904.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1260 -ip 1260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1384
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr322212.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr322212.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr2904.exe
| MD5 | badd11dcc1157bc6451fe5efb9f9cf89 |
| SHA1 | 53effc59df42bfea628234217fd166caccb3254e |
| SHA256 | 91e28f8cd2e59aec756d6148cc64c31e84fcaa89d3609edf4bc59286a784ac79 |
| SHA512 | d8fe7e4a0f9c4bc9517e562082b4c3932451f55b548bb59ca204befad213ea596f86dac7f447ffd42f264672941a9c8475ccf28b52b9d432445ac43315b84ee4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr922151.exe
| MD5 | bebad2318c9f6eda31aa743ac5b417b1 |
| SHA1 | dc7b4e44f485e14d7c409f663d055592e7890e20 |
| SHA256 | 14ff2566eac3a6ea63630d3401c5100aa94db9f97d05dae0ca4d873602ff78de |
| SHA512 | 87af5e30dc454060201d41c77b8c1df300aa7756c0613ff3eb73e1a9931f994f69cfabf664e57483d513c460a4a2c515179a037cb67b798e9c58fc0fd9a5d566 |
memory/516-14-0x00007FFC0C9D3000-0x00007FFC0C9D5000-memory.dmp
memory/516-15-0x0000000000C40000-0x0000000000C4A000-memory.dmp
memory/516-16-0x00007FFC0C9D3000-0x00007FFC0C9D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku702802.exe
| MD5 | 24cc3338bc0a82cdc8700155704a90d0 |
| SHA1 | 7526be27e0ed138d85e7750d4cc04bded8510e8b |
| SHA256 | ba312a2dc78b5d34529d9a6dc78947226b0efe84c219fe3f3fb3e9e43f05d093 |
| SHA512 | 4f70364e8b3c32f07b8431eb49901f4698f7bf470925d9c5ccef24014826c9d9ab42baac1bd8073a3667b23f5c66527aed097adcc6600357a4e55f5108f1730e |
memory/1260-22-0x0000000002550000-0x00000000025B6000-memory.dmp
memory/1260-23-0x0000000004E40000-0x00000000053E4000-memory.dmp
memory/1260-24-0x0000000004C70000-0x0000000004CD6000-memory.dmp
memory/1260-36-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-56-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-88-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-86-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-82-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-80-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-78-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-76-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-74-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-70-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-68-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-66-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-62-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-60-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-58-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-54-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-52-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-50-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-48-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-46-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-44-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-42-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-40-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-38-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-34-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-32-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-30-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-28-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-26-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-84-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-72-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-64-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-25-0x0000000004C70000-0x0000000004CCF000-memory.dmp
memory/1260-2105-0x0000000005560000-0x0000000005592000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/5840-2118-0x0000000000BB0000-0x0000000000BE0000-memory.dmp
memory/5840-2119-0x0000000002DA0000-0x0000000002DA6000-memory.dmp
memory/5840-2120-0x000000000AEC0000-0x000000000B4D8000-memory.dmp
memory/5840-2121-0x000000000AA20000-0x000000000AB2A000-memory.dmp
memory/5840-2122-0x000000000A950000-0x000000000A962000-memory.dmp
memory/5840-2123-0x000000000A9B0000-0x000000000A9EC000-memory.dmp
memory/5840-2124-0x0000000004F20000-0x0000000004F6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr322212.exe
| MD5 | 237109c4ef3a8498cdb930d40743656a |
| SHA1 | 2943e44f747f3cd31844386ac5bd62895810ce76 |
| SHA256 | 34cf3f77c115c21ca69370b28cb2c893fbe6acfdc52c3129407c238576f64483 |
| SHA512 | e2eeae10304fbd3e8ec42c5b42caa2e26a0ddc35fcf9c95e93b0d547a31687800198267f0f6970cc161fe2ffcf78580bc9c5bdfa0354ce9d641bceabab34ac52 |
memory/6136-2129-0x00000000002B0000-0x00000000002E0000-memory.dmp
memory/6136-2130-0x0000000000CC0000-0x0000000000CC6000-memory.dmp