Analysis Overview
SHA256
2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf
Threat Level: Known bad
The file 2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf was found to be: Known bad.
Malicious Activity Summary
Healer family
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:15
Reported
2024-11-09 19:17
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe
"C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe
| MD5 | 374d61630d151cf9df195f65d11770ac |
| SHA1 | f5e0e8e45dd149251c0420b38dd47978b131e4d8 |
| SHA256 | 26f46cdcc014956680520dfbca11d981f7da17b01e3ac9ae3f139aacb52063ca |
| SHA512 | 6232fa552b67a97212f7ba65b1a360cdee01afe6861164c6bd18c22acae0e677d0bce987437fe1e0436d8b7b8a9f84de9f74b341835ae0d0c4390872a6b35184 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe
| MD5 | 0913800af7bbcdba4386d817777acbd9 |
| SHA1 | 239c84198b270551465c35775fc7fe28f69840df |
| SHA256 | 09c3c7479684ce7ee25e1ffe1eac45ddbb6d65f1c64fe5d9e1a95809f62d4215 |
| SHA512 | 5f33f355dce40d366ca8ae2d1e7bdf0871a17690ed2eb813454b516062deb370b6faff47fe58ad9d2893ca7f740379f4f0fbcd3032adc0d8aa2f2d1c4eb26f2f |
memory/5052-15-0x0000000000C10000-0x0000000000C1A000-memory.dmp
memory/5052-14-0x00007FF813FE3000-0x00007FF813FE5000-memory.dmp
memory/5052-16-0x00007FF813FE3000-0x00007FF813FE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe
| MD5 | 5ca7499cd5bf2e6cb25975878de9f440 |
| SHA1 | bbdd3fbfadede3a4c7cbd568f418d611e4061551 |
| SHA256 | 286052867ffb40f5406b40eb10d68eebd539181efc8c12acb25b93cce3ab9f50 |
| SHA512 | 8704bc8ac964d0c605c55a0eb8efa67b513f75341c8e33edf8ba02b801aff070b10868780aa20ef407a704ee8a6eb7c2b3480c5e8cc9a8d4ad865a5590d81a69 |
memory/3044-22-0x00000000028C0000-0x0000000002906000-memory.dmp
memory/3044-23-0x0000000004FF0000-0x0000000005594000-memory.dmp
memory/3044-24-0x0000000004E40000-0x0000000004E84000-memory.dmp
memory/3044-34-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-32-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-30-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-44-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-88-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-84-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-80-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-78-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-74-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-72-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-70-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-69-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-66-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-64-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-62-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-60-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-58-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-54-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-52-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-50-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-48-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-46-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-42-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-40-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-39-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-36-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-86-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-82-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-76-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-56-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-28-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-26-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp
memory/3044-931-0x00000000055A0000-0x0000000005BB8000-memory.dmp
memory/3044-932-0x0000000005BC0000-0x0000000005CCA000-memory.dmp
memory/3044-933-0x0000000004F30000-0x0000000004F42000-memory.dmp
memory/3044-934-0x0000000004F50000-0x0000000004F8C000-memory.dmp
memory/3044-935-0x0000000005DD0000-0x0000000005E1C000-memory.dmp