Analysis Overview
SHA256
496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f
Threat Level: Known bad
The file 496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
Healer family
RedLine
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 05:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 05:33
Reported
2024-11-08 05:36
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe
"C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1372
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 185.161.248.90:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
| MD5 | e04c7e96ee59d2015706ff71c71c3cae |
| SHA1 | fd3b98f05dae77002d5d2f5049f2de41e8fdec10 |
| SHA256 | 4bd54ee349d83e8dbdc5366ee8be6174b929f634a6c5644504d023060829f523 |
| SHA512 | 5c75ca5f30d67081a2fb977536f6f33b7595c567ebdfc27791d16dbc947b7305b5d9dccf6bc5d86ccd0eeef16bdc003750f5398a9199fd4883e1f0cd2354f4c4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
| MD5 | 680417f2efe9eb78a4fb2e7866ec66f5 |
| SHA1 | de726b1f5ae8bdc19479980fd10e988dca138623 |
| SHA256 | 607443710032388c930a8c9e35bd2e4c73771c4b4299507f6429731b36882b36 |
| SHA512 | 8cb35a5f1b56796b1c5a97b3a8476952418a145edfe2ffda0382f1db7d8b9d94f41b1fd4eae56691434c1ab8093dfd811beea68906e95f6fe5d56d302a4a5fa1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
| MD5 | a4f89f8dc8ca3450dc0240359e4c002c |
| SHA1 | 5b23c62b34d9adcfdb997a039b29115ba117fd1b |
| SHA256 | 03454e8aad3ebc11c3a0662fe85773cec8e85d456313438a94f99afc1c2fc42e |
| SHA512 | 9e8427ac8d39272ffdfed294238fdbfdd3a54ae379ed5a2d3d9acbe9a62ba19cf5b082b11b6f295ecb75da0f15aeb5c377f95198508c5e406e39406b1383bcab |
memory/1596-21-0x00007FFB070F3000-0x00007FFB070F5000-memory.dmp
memory/1596-22-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1596-23-0x00007FFB070F3000-0x00007FFB070F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
| MD5 | 6424b85ebce56537ad6c67e59be400a8 |
| SHA1 | 4010e1a196ba734e1b82868e6c47e391631e2e3a |
| SHA256 | 6ab79416f69dcf4bdf22ee0430afe96783ceac1fdf2057a959f023392efc29e9 |
| SHA512 | 0905f6ddc31f1224e7d0c3fc0fca30aa3674ebc402dd843b47402c3c8047a9783f1389cdd45386aa43f72b8771a479c8fef668362bbd4582945443c193778c2b |
memory/4908-29-0x00000000025D0000-0x0000000002638000-memory.dmp
memory/4908-30-0x0000000004CD0000-0x0000000005274000-memory.dmp
memory/4908-31-0x0000000004C50000-0x0000000004CB6000-memory.dmp
memory/4908-35-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-47-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-93-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-91-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-89-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-87-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-85-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-81-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-79-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-77-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-75-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-73-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-69-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-67-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-65-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-63-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-61-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-57-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-55-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-53-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-51-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-49-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-45-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-43-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-41-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-39-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-37-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-95-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-83-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-71-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-59-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-33-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-32-0x0000000004C50000-0x0000000004CB0000-memory.dmp
memory/4908-2174-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/6192-2187-0x0000000000E90000-0x0000000000EBE000-memory.dmp
memory/6192-2188-0x0000000003180000-0x0000000003186000-memory.dmp
memory/6192-2189-0x000000000B210000-0x000000000B828000-memory.dmp
memory/6192-2190-0x000000000AD00000-0x000000000AE0A000-memory.dmp
memory/6192-2191-0x000000000AC30000-0x000000000AC42000-memory.dmp
memory/6192-2192-0x000000000AC90000-0x000000000ACCC000-memory.dmp
memory/6192-2193-0x00000000051C0000-0x000000000520C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp968945.exe
| MD5 | 43c614eb71d96a7c3032441b908aa784 |
| SHA1 | ed6c87091e3eeb5cbde101ea695b789fa90e0f8a |
| SHA256 | 4ac318b562dda975404a501e4651c87f03d0e0ce0b578808d11612bd0d88d584 |
| SHA512 | 6d0fa888ba4d559df80c41cac4c1695ac79d112b2daf218d9b5fca4f6450948d229c33d8aef4aae2aee7504062a18b8b041c8f292132f00ab51fc35720339007 |
memory/6868-2198-0x0000000000100000-0x0000000000130000-memory.dmp
memory/6868-2199-0x00000000009F0000-0x00000000009F6000-memory.dmp