Analysis Overview
SHA256
7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5
Threat Level: Known bad
The file 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5 was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer family
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:02
Reported
2024-11-09 05:04
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe
"C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe
| MD5 | 21027cb188f40490066154654e60e3c7 |
| SHA1 | 9a981a31ad1a33e7e3f2830738e45d9435bf1f96 |
| SHA256 | ffd1488bb251d82d1378cc7f6b9633e55eef97d8d50978440b5a0c48f5249e6a |
| SHA512 | 8a5ec496d88808a3bbcadd788342cbbb01257c37d12bab91d4570e08d4da5415a2c17f060db4c82c73bd278f86b25296a15892c34c86bfced2e7a38f6f4d5851 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe
| MD5 | b5d2eb69dbf7867c1308103cebbb8287 |
| SHA1 | 9a587694e49fcb89a48b029aec9aa1bfafdfe3ac |
| SHA256 | e16ee90aa92ab21eb34a8b4e4a5027f3e59224e94196f81f45312ee124abcaf9 |
| SHA512 | 486ace5c0a8ebcf8642fe9ebfa65bcd96d054cf9bc6e6f60437dbec1db99961f0f40402b8a2f05f1435054edd40019e6d1806214296008d16701528d3b3db7ae |
memory/1664-14-0x00007FFBAC0C3000-0x00007FFBAC0C5000-memory.dmp
memory/1664-15-0x00000000008A0000-0x00000000008AA000-memory.dmp
memory/1664-16-0x00007FFBAC0C3000-0x00007FFBAC0C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe
| MD5 | 29a1d47a0a764e756409e83d84a5c0a3 |
| SHA1 | 94fdc133eab57c39c1e692ddd64035ef39d6b427 |
| SHA256 | 7850d76bc48a8b4bd776069b9e89daac6348d0bd972de32943c886ce1e24f60c |
| SHA512 | 4189fc3d08e800ab4043a73bb73922ed11cdba79fef73e7c609191f890a1ce8e14ecda120664290908e236c4bc477fa8980f0b92453addc33b0b4a13a0a2c0c8 |
memory/3852-22-0x00000000049F0000-0x0000000004A36000-memory.dmp
memory/3852-23-0x0000000004B10000-0x00000000050B4000-memory.dmp
memory/3852-24-0x0000000004A80000-0x0000000004AC4000-memory.dmp
memory/3852-66-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-50-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-34-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-26-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-25-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-82-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-88-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-84-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-80-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-78-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-76-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-74-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-72-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-71-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-68-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-64-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-62-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-60-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-58-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-56-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-54-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-52-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-48-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-46-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-44-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-42-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-40-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-38-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-36-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-32-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-30-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-28-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-86-0x0000000004A80000-0x0000000004ABF000-memory.dmp
memory/3852-931-0x00000000050E0000-0x00000000056F8000-memory.dmp
memory/3852-932-0x0000000005780000-0x000000000588A000-memory.dmp
memory/3852-933-0x00000000058C0000-0x00000000058D2000-memory.dmp
memory/3852-934-0x00000000058E0000-0x000000000591C000-memory.dmp
memory/3852-935-0x0000000005A30000-0x0000000005A7C000-memory.dmp