Analysis Overview
SHA256
f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459
Threat Level: Known bad
The file f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Redline family
RedLine payload
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine
Healer
Windows security modification
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 13:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 13:11
Reported
2024-11-07 13:13
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe
"C:\Users\Admin\AppData\Local\Temp\f214c6b281d57380a86bd0f6d1ede273bb840616f241d6295a83145efa3ac459.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPJ8166.exe
| MD5 | d60d571d26b7d6dc35d5e7dda86c4138 |
| SHA1 | db509b935bb24c7a63a5457b055c5444b7c78855 |
| SHA256 | 41b78840e63eac38a7ea0c2e964e439295b99c7c641b03de5d33a6cd8f64d18b |
| SHA512 | 90257fb6f495bc77512a76d384e5e823d2d3fdff95007ad52444f5df95bd8b078b79b05efe5e16257670eeaf80817ebead817d03f7e543eab6d9aaf8722e4061 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziva6415.exe
| MD5 | bb58e56f24bda313b521e3b981b32c86 |
| SHA1 | 53ff783181ab8c32edf7ab0f2b9c033d6b632165 |
| SHA256 | 789ac533bd335c47eb4d6134f65c564f0df70e4a4a2d0297f38b88c9c0b09a70 |
| SHA512 | 86266213644e784ee82756826177c35fb276d4ef7013106dcdbcffd9da3610c4f8b2df71b447f299e1493bac85163e407dccadab5e2e33394b6e3e3251aade65 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it911239.exe
| MD5 | 4b3e0ef0693789fc9ddd388e7af44e0f |
| SHA1 | ad549514027c4a03dcc3d47f1ce2a5bf672bed55 |
| SHA256 | 4fbab3bb6791ee3a90338dad16f2bb1ac8cfd393df0379546ce563e060dc3ee4 |
| SHA512 | 81a1bf6e58fca18834869c37eac1e96fac73f1ae8202210e980f0fd67b615ea4bef912bf83b0026d4df8613c6b31dc70735234855eff1170d817212847cc7a01 |
memory/3516-21-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp
memory/3516-22-0x0000000000540000-0x000000000054A000-memory.dmp
memory/3516-23-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr389978.exe
| MD5 | 35d0ab2652b4e2a7aefba787ced1e392 |
| SHA1 | 6ab7bde5cf4599e804cd51d4a26fd982bdee1259 |
| SHA256 | 86670861df1d4cb9dfe144e3f5fec1c17eb452ee6b2292d53f896ade5ccf322f |
| SHA512 | de7340b570ea0dfec20ecf4bd9567ce3aa564b5005e30a0315bd551974bc9725d458538906fd287c709f4c6e8f22591e810043f9d246e0f2976c84dc50c07b2c |
memory/812-29-0x00000000028F0000-0x0000000002958000-memory.dmp
memory/812-30-0x0000000005070000-0x0000000005614000-memory.dmp
memory/812-31-0x0000000004EA0000-0x0000000004F06000-memory.dmp
memory/812-45-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-47-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-95-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-93-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-91-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-89-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-87-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-85-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-83-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-79-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-77-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-73-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-71-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-69-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-67-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-63-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-61-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-59-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-57-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-55-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-53-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-51-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-49-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-43-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-41-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-39-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-37-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-35-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-81-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-75-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-65-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-33-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-32-0x0000000004EA0000-0x0000000004F00000-memory.dmp
memory/812-2174-0x0000000004F30000-0x0000000004F62000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/5204-2188-0x0000000000DA0000-0x0000000000DCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp991874.exe
| MD5 | 016e2f2d5deeeb80984ed7b8a245a40c |
| SHA1 | c24ffe850224bae13f2bf092a0419142cd2e8780 |
| SHA256 | 9e48ba3e0fda075872731eec3b10cf7f7241a8354671635a65aea6e0b7ec570e |
| SHA512 | 54e4ae4f5f518ca64bcc1788550e8818bb90bac29965459e8da0b1d322836c3e2186a3275399ed8e905846a7c6f58f4df013c4f0f24ae01e652f57e571b84aa8 |
memory/5204-2192-0x0000000002EB0000-0x0000000002EB6000-memory.dmp
memory/5260-2193-0x0000000000190000-0x00000000001C0000-memory.dmp
memory/5260-2194-0x00000000049B0000-0x00000000049B6000-memory.dmp
memory/5204-2195-0x0000000005D30000-0x0000000006348000-memory.dmp
memory/5204-2196-0x0000000005820000-0x000000000592A000-memory.dmp
memory/5260-2197-0x0000000004A00000-0x0000000004A12000-memory.dmp
memory/5204-2198-0x0000000005790000-0x00000000057CC000-memory.dmp
memory/5204-2199-0x00000000057D0000-0x000000000581C000-memory.dmp