Analysis Overview
SHA256
42af49b56210b0f788a1ade835c17968375dfb68cc558201592611e2c6aa50e4
Threat Level: Known bad
The file 42af49b56210b0f788a1ade835c17968375dfb68cc558201592611e2c6aa50e4 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
RedLine
Redline family
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:07
Reported
2024-11-09 05:10
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisi0996.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr579504.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\42af49b56210b0f788a1ade835c17968375dfb68cc558201592611e2c6aa50e4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisi0996.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr579504.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42af49b56210b0f788a1ade835c17968375dfb68cc558201592611e2c6aa50e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisi0996.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42af49b56210b0f788a1ade835c17968375dfb68cc558201592611e2c6aa50e4.exe
"C:\Users\Admin\AppData\Local\Temp\42af49b56210b0f788a1ade835c17968375dfb68cc558201592611e2c6aa50e4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisi0996.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisi0996.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1508
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr579504.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr579504.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisi0996.exe
| MD5 | fc8f8ed861d9019961f1a2affa3f2a67 |
| SHA1 | ac5d801b3048ef1746772db40973121096733e41 |
| SHA256 | a50068831718b26d75df61e20214740edde0fb5e5f267362ae18b12cf82ad65e |
| SHA512 | c1d74db9c7edc28a935e7fb085c7fc028755c1abe581125118b3553c79389b6e9783ed7181b845da0b04eaa3e779982513a59be210c4efdf45dee61fd2c4fb1c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620095.exe
| MD5 | f972a7ac085e6c32b6c52bd0cd379c57 |
| SHA1 | acc5aa28ded5e648f4693b0ce1ebcf7795fd21ec |
| SHA256 | 410bed8f20fedc3e27a5e6b6364d33a45a5d39792c5893af1087afdf9a975a87 |
| SHA512 | 7fabfaf45072558fb6fab2630c78b05c9bc893a1962c4ddc1822cc65e2550336d7732acc97735399b61e2a783d8fdc451690c90a4c2186e914b155f88ba4b2cf |
memory/2688-14-0x00007FFF8A443000-0x00007FFF8A445000-memory.dmp
memory/2688-15-0x0000000000C40000-0x0000000000C4A000-memory.dmp
memory/2688-16-0x00007FFF8A443000-0x00007FFF8A445000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku817120.exe
| MD5 | 7045451833ce5928338a9deaa0a6a0bb |
| SHA1 | 036a33efd683bc8f78599c79df1fa4053ecd61a5 |
| SHA256 | 747ba7e9e789fca4f433df3b61b6cd57381d975ab041f8a6091fe323e57886b9 |
| SHA512 | f9986f7b28d01f2149f2d86002d98a50cbfef94801e449758bd9935eed2e485b34769cb8bfae8be1aa974d34d51bf6c76f514415e284dd72aa8a13ae96626a62 |
memory/1280-22-0x0000000004BF0000-0x0000000004C56000-memory.dmp
memory/1280-23-0x0000000004CB0000-0x0000000005254000-memory.dmp
memory/1280-24-0x0000000005260000-0x00000000052C6000-memory.dmp
memory/1280-36-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-42-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-88-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-86-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-84-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-82-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-80-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-78-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-74-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-72-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-70-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-69-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-66-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-64-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-62-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-60-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-58-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-56-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-54-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-50-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-48-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-46-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-44-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-40-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-38-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-34-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-32-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-30-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-28-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-76-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-52-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-26-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-25-0x0000000005260000-0x00000000052BF000-memory.dmp
memory/1280-2105-0x0000000005430000-0x0000000005462000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/5872-2118-0x0000000000520000-0x0000000000550000-memory.dmp
memory/5872-2119-0x0000000002870000-0x0000000002876000-memory.dmp
memory/5872-2120-0x00000000054D0000-0x0000000005AE8000-memory.dmp
memory/5872-2121-0x0000000004FC0000-0x00000000050CA000-memory.dmp
memory/5872-2122-0x0000000004EB0000-0x0000000004EC2000-memory.dmp
memory/5872-2123-0x0000000004ED0000-0x0000000004F0C000-memory.dmp
memory/5872-2124-0x0000000004F50000-0x0000000004F9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr579504.exe
| MD5 | 8f1ab99bec5c1f8bb5ddaf8867aa7e19 |
| SHA1 | 06693184f29d753abe0350b4dfe14c4493965189 |
| SHA256 | 19f6e91965aa3a94ca1abe0f8b08e0c864b25e687bb04961043fe9ef72f017db |
| SHA512 | 088b4684d6e56c36e02183b94420424bbc183ebf1583adb40ad842761a4f40add832560ed4d296ae2bf2197afdb7b58031b5d0593cdfab57bfe6ce308f304e3a |
memory/2112-2129-0x0000000000150000-0x000000000017E000-memory.dmp
memory/2112-2130-0x0000000002300000-0x0000000002306000-memory.dmp