Analysis Overview
SHA256
26c8056ec71f7961bac6647afe04b5acd64ac3df7e0c706dc9005510710c77b0
Threat Level: Known bad
The file 26c8056ec71f7961bac6647afe04b5acd64ac3df7e0c706dc9005510710c77b0 was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Redline family
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:13
Reported
2024-11-09 19:16
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixP2609.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDB7167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr653650.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixP2609.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDB7167.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\26c8056ec71f7961bac6647afe04b5acd64ac3df7e0c706dc9005510710c77b0.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDB7167.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr653650.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26c8056ec71f7961bac6647afe04b5acd64ac3df7e0c706dc9005510710c77b0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixP2609.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr653650.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26c8056ec71f7961bac6647afe04b5acd64ac3df7e0c706dc9005510710c77b0.exe
"C:\Users\Admin\AppData\Local\Temp\26c8056ec71f7961bac6647afe04b5acd64ac3df7e0c706dc9005510710c77b0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixP2609.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixP2609.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDB7167.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDB7167.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr653650.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr653650.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixP2609.exe
| MD5 | e8a6236672727c350989dd891093033c |
| SHA1 | b1b162fd72fe5c59b1fd238e4554a09dde31931c |
| SHA256 | 7fbb57b16229ac46955960205bfe2933ca86d5dd6d3bd880d6b71259a6c9b084 |
| SHA512 | 23a73748947e7edf475ef89bc08252646cbf0b4c70ab4e50aee15908c110e72e5dbe27ff846fea90bd1bec10cdd61dbd16171af2bb60067392c13d8da994f4f5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDB7167.exe
| MD5 | f44da038a7aaa1c9053196b083bdc4a4 |
| SHA1 | 98b16311a32b797770f84f9d7c95e361aad159b2 |
| SHA256 | bc396b277102042c656518b757706bbac50a75d9e20619281e85fb2eb9592b64 |
| SHA512 | ad515d23e706ad07de5f382051b0baf6cb5c1ff7a8e9e53817a7f75825cda381a1b31f4d05a349dbae673924ab91bd6aaad428b4b4c09a608973352eb2f0d493 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it913906.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/5024-21-0x00007FFE15AE3000-0x00007FFE15AE5000-memory.dmp
memory/5024-22-0x0000000000600000-0x000000000060A000-memory.dmp
memory/5024-23-0x00007FFE15AE3000-0x00007FFE15AE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr653650.exe
| MD5 | 1d3d4326e0cdd6703677c44186a20644 |
| SHA1 | 3d7b40366f416dced7a21d43e9a116631619c8fc |
| SHA256 | 3368b9c2e65ba7b947bd076400112f47de7252e71023b18e529cd0050e366fd8 |
| SHA512 | fd791de12c392a3e1ccd668b8aa97ba60fc261793700434032b00be982dd82233a99c7d04cb538c4ddd8eb75d07e9acb03a98c65402400963099a0f4d6c5d83b |
memory/3952-29-0x0000000002720000-0x000000000275C000-memory.dmp
memory/3952-30-0x0000000004FA0000-0x0000000005544000-memory.dmp
memory/3952-31-0x0000000004E10000-0x0000000004E4A000-memory.dmp
memory/3952-39-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-45-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-43-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-41-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-95-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-73-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-57-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-37-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-35-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-33-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-32-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-93-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-91-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-89-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-87-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-85-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-83-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-81-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-79-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-77-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-75-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-71-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-69-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-67-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-65-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-63-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-61-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-59-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-55-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-53-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-51-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-49-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-48-0x0000000004E10000-0x0000000004E45000-memory.dmp
memory/3952-825-0x0000000004F40000-0x0000000004F52000-memory.dmp
memory/3952-826-0x0000000007FF0000-0x00000000080FA000-memory.dmp
memory/3952-827-0x0000000008100000-0x000000000813C000-memory.dmp
memory/3952-824-0x00000000079D0000-0x0000000007FE8000-memory.dmp
memory/3952-828-0x0000000004940000-0x000000000498C000-memory.dmp