Analysis Overview
SHA256
8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a
Threat Level: Known bad
The file 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
Healer family
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:44
Reported
2024-11-09 03:47
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe
"C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe
| MD5 | 3e91b0adc4ce2421d09efd4231a2b9e1 |
| SHA1 | 45688cee5dd411d460670ca1a1d5e68c8702b634 |
| SHA256 | 54d4789f22d957f4583cf3c1c6f333827268a90873f9ff51ab1f046521871d93 |
| SHA512 | e2972d7ba7967e2ca8dee3e2a265fc36376674e0e80ec3b21efc2c038b3ade1e84b8d08ae27d6e3cb1eb8a25cb20848c4f1a6e70ad214a62b62b372b1d1e3a58 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe
| MD5 | 78c3c8212cb8c23b1adfa1c970a5ea61 |
| SHA1 | 70cb7000ca8a18ed2da17a59ead6f905fc13eaee |
| SHA256 | 04cdace3f1f541f266f553f581943d847b765821a933c7695a6830ea3ae37a48 |
| SHA512 | 87474d9f045b6c32e2555c95d45f6c8628ce953fc9fc8c4dfbe538b8b48d12164bc5cea0d8df6eaa32b2e52a356c13f712b7ea7eaeb385a077ea7536f8b58e9a |
memory/468-14-0x00007FFA812E3000-0x00007FFA812E5000-memory.dmp
memory/468-15-0x0000000000280000-0x000000000028A000-memory.dmp
memory/468-16-0x00007FFA812E3000-0x00007FFA812E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe
| MD5 | 99fe8a12de549bc4afa5ddfe635fae38 |
| SHA1 | 6f339d74d8913b23384b9236463b8978f4af1bb6 |
| SHA256 | 5f627e3af21dcadff429f64fb608429c0564935d2ae2360b9c1b56bdfcb0c8bd |
| SHA512 | af4f9d865fb67aef5506d3ded3018dfa3f844a6ec3db7d5c3353c782cba09511521a4c247512420234ec1ba7eb5acf542360d44841d8edbbb648b278d98d2226 |
memory/4088-22-0x0000000002370000-0x00000000023B6000-memory.dmp
memory/4088-23-0x0000000004EB0000-0x0000000005454000-memory.dmp
memory/4088-24-0x0000000002760000-0x00000000027A4000-memory.dmp
memory/4088-28-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-36-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-88-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-86-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-84-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-82-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-78-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-76-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-74-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-72-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-70-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-68-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-66-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-64-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-60-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-58-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-56-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-55-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-52-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-50-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-48-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-46-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-44-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-42-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-40-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-34-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-32-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-30-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-80-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-62-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-38-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-26-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-25-0x0000000002760000-0x000000000279F000-memory.dmp
memory/4088-931-0x0000000005460000-0x0000000005A78000-memory.dmp
memory/4088-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp
memory/4088-933-0x00000000029D0000-0x00000000029E2000-memory.dmp
memory/4088-934-0x0000000004E40000-0x0000000004E7C000-memory.dmp
memory/4088-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp