Analysis Overview
SHA256
5c0c3dde28861de579ed74ff3a54612531b9a40efda6d6b12e52ec742ee22039
Threat Level: Known bad
The file 5c0c3dde28861de579ed74ff3a54612531b9a40efda6d6b12e52ec742ee22039 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine
RedLine payload
Redline family
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:55
Reported
2024-11-09 21:58
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU5361.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku583532.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5c0c3dde28861de579ed74ff3a54612531b9a40efda6d6b12e52ec742ee22039.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU5361.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU5361.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku583532.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c0c3dde28861de579ed74ff3a54612531b9a40efda6d6b12e52ec742ee22039.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku583532.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c0c3dde28861de579ed74ff3a54612531b9a40efda6d6b12e52ec742ee22039.exe
"C:\Users\Admin\AppData\Local\Temp\5c0c3dde28861de579ed74ff3a54612531b9a40efda6d6b12e52ec742ee22039.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU5361.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU5361.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku583532.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku583532.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU5361.exe
| MD5 | 1bc3f0cdc5ecc3b8b57d10035106a979 |
| SHA1 | e8348fe68a134ce9a19840173eac7eee17f3aeec |
| SHA256 | 9ce96b1379f3f934b79156f493f5cd9b10b948302398bb516ecc3fdb3c57b875 |
| SHA512 | 8c7354f010f6892b973c273a0e837f4fa1a9b5bdae2a7d278d33c33005b659e69d2edbb041acd5b11a2ccccccacabbaf87a4a4bd1e08cd031383acc02a5ed498 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr283752.exe
| MD5 | 5239dc6af7d66246f89ee0c5cb6a4a3f |
| SHA1 | 0fa711f540ea3706a8a6ed2d2b7c9e730be44a2e |
| SHA256 | aa8ce780bb6ce8d8d6f67f9269c29918809ad8636c0141fa72dda97d4e0dbf5b |
| SHA512 | 78cd723d4968238fa833ed5d8d96e4af7a58f1745c71ac6af65f0b613ffb90c7c24fe2545e36f2c83e21ee1419b55031ac8d8bdb9fcf325d8d6e326a50218a90 |
memory/2624-14-0x00007FFB07063000-0x00007FFB07065000-memory.dmp
memory/2624-15-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/2624-17-0x00007FFB07063000-0x00007FFB07065000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku583532.exe
| MD5 | 6334b2b7435679fe114c2a485d02a899 |
| SHA1 | d983e3ec49d30628281e6de528c105236c84b043 |
| SHA256 | 8e348841e22eb63cf0e1d7a8a9197dd4446ef89f61accaf17a287ae2887ecb38 |
| SHA512 | 42b6074edb9e5e8ad912035567d2022fa71a2a5270248627245080c7ee1ce15ddd7da93f9517a850bc6ccaa6129ed50be1efc049569bcb9e11579820dcf35483 |
memory/1472-22-0x00000000026C0000-0x0000000002706000-memory.dmp
memory/1472-23-0x0000000005030000-0x00000000055D4000-memory.dmp
memory/1472-24-0x0000000002AE0000-0x0000000002B24000-memory.dmp
memory/1472-34-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-38-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-88-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-86-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-84-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-80-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-78-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-76-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-74-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-72-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-68-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-66-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-65-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-60-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-58-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-57-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-54-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-53-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-50-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-49-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-46-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-44-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-42-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-40-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-36-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-32-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-30-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-82-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-70-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-62-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-28-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-26-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-25-0x0000000002AE0000-0x0000000002B1F000-memory.dmp
memory/1472-931-0x00000000055E0000-0x0000000005BF8000-memory.dmp
memory/1472-932-0x0000000004F00000-0x000000000500A000-memory.dmp
memory/1472-933-0x0000000005C20000-0x0000000005C32000-memory.dmp
memory/1472-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp
memory/1472-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp