Analysis Overview
SHA256
28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4
Threat Level: Known bad
The file 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
RedLine
Redline family
Healer family
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:47
Reported
2024-11-09 03:50
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe
"C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe
| MD5 | 2145719c8df48ee93ffcc94961129132 |
| SHA1 | 3d8a1a345c5a8633586f949a815a0e312b78f61c |
| SHA256 | 96a8b64a822baea461eaf71aaf5cdb61465760c16bab2c9edf7b1ce76406b293 |
| SHA512 | 725fe1ad6da10db61394df73754a279c0e9c0dcf67f89e0db93c208170d268cbc7e8be8d6c28a1a52e3e8a5b27ca7c934109224273bfe9d60d7f9901d375a050 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe
| MD5 | 7ff24f9bb4b0dcc5bc325a3b9215b692 |
| SHA1 | a2a74df8e9d1cd66156fe82f07c9c31a83e235cb |
| SHA256 | 1466a0eac7850d5bbef7831b1a3628e7859089e6647abc9e9f96ab0de837c7d7 |
| SHA512 | 0b8af222520eb70d7ef37384b6489c33a438fcc0325d3b9e5cd313b6a734f665ffdc405690d31ec221dc3583562befa29e214053b732352af5eddd4733be2734 |
memory/5032-15-0x0000000000560000-0x000000000056A000-memory.dmp
memory/5032-14-0x00007FFA1FE33000-0x00007FFA1FE35000-memory.dmp
memory/5032-16-0x00007FFA1FE33000-0x00007FFA1FE35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe
| MD5 | 6d4736f10db18f610f659f8c799c9392 |
| SHA1 | b433de01816df02380bc34bc2fe8a0c84859b79d |
| SHA256 | 6673ac912bc7ca0660715ef4f2935b7fbb8e9d5c1a8ff291f7cf295074034ed7 |
| SHA512 | 95d066b502b8654d2953e8075c116e703cb0f6ef7836f9a98b2b5e79139c15285ce3fde444fb0aeb65cc3680b09667f0dd022c4f747e5d65924e76df49787e41 |
memory/1676-22-0x0000000002530000-0x0000000002576000-memory.dmp
memory/1676-23-0x0000000004BD0000-0x0000000005174000-memory.dmp
memory/1676-24-0x0000000004B10000-0x0000000004B54000-memory.dmp
memory/1676-30-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-36-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-35-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-32-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-86-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-74-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-44-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-28-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-26-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-25-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-88-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-84-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-82-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-80-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-78-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-76-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-72-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-70-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-68-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-66-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-64-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-62-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-60-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-58-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-57-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-54-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-52-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-50-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-48-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-46-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-42-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-41-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-38-0x0000000004B10000-0x0000000004B4F000-memory.dmp
memory/1676-931-0x0000000005180000-0x0000000005798000-memory.dmp
memory/1676-932-0x00000000057A0000-0x00000000058AA000-memory.dmp
memory/1676-933-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/1676-934-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/1676-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp