Analysis Overview
SHA256
88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f
Threat Level: Known bad
The file 88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:07
Reported
2024-11-09 05:10
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe
"C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe
| MD5 | 52bdb82791a20eabd4f1e4ffcfa9bfc4 |
| SHA1 | 2ce39c9e12e41b35bc90f5dfee4856cfc42cb561 |
| SHA256 | fa740a5ba4ab993f9fda028dc9de20120a7cafcfaa9ffffc1378e9562775e563 |
| SHA512 | 0ddedf08687dcb92801e45d6db59418da534f552595a42885a84d05e76b76351844f08c05b305733c8ab50b95c9ea4ae8b6fd999455cb4bbbe7e3fb2fb604b7b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2192-14-0x00007FFE75773000-0x00007FFE75775000-memory.dmp
memory/2192-15-0x0000000000B80000-0x0000000000B8A000-memory.dmp
memory/2192-16-0x00007FFE75773000-0x00007FFE75775000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe
| MD5 | d06a24c98b52d4ad31b4dc0a5d8ec563 |
| SHA1 | bccd0fb5b6951fa8e2a0278724c7f6830562b7a5 |
| SHA256 | 5ae7494834fd42403fe4df86b80407ce04dcb73fa666b1e1ff8a9aedcc1cefe6 |
| SHA512 | 09f3da370a77d105f6107474b5ce6d49ce67f6d53ef09c272f83edd29ae3e834a00f89f6d9849e1976a37b8bf3b5491314edb775a96fad178bac982e02bebaa9 |
memory/2676-22-0x0000000007150000-0x000000000718C000-memory.dmp
memory/2676-23-0x00000000072D0000-0x0000000007874000-memory.dmp
memory/2676-24-0x00000000071D0000-0x000000000720A000-memory.dmp
memory/2676-40-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-46-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-88-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-86-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-84-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-82-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-80-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-78-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-76-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-74-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-72-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-70-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-68-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-66-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-62-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-60-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-58-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-56-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-54-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-52-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-50-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-48-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-44-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-42-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-38-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-36-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-35-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-32-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-30-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-28-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-64-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-26-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-25-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/2676-817-0x0000000009D00000-0x000000000A318000-memory.dmp
memory/2676-818-0x000000000A350000-0x000000000A362000-memory.dmp
memory/2676-819-0x000000000A370000-0x000000000A47A000-memory.dmp
memory/2676-820-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/2676-821-0x0000000006C80000-0x0000000006CCC000-memory.dmp