Analysis Overview
SHA256
e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1
Threat Level: Known bad
The file e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer family
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:16
Reported
2024-11-09 19:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe
"C:\Users\Admin\AppData\Local\Temp\e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe
| MD5 | 7ae88c5d0b16e24c11b2b7fc193c8da1 |
| SHA1 | 5044b75b8f3cad9c9276cdf9f76595028d6a1390 |
| SHA256 | c85f1fb580e1df77ffb3ab2c2e1d90cb2d09b5a295c2d5ca914cdb6eeeabf4aa |
| SHA512 | ad600faa4f9f47f108eff38a5a7e58590d84daf275612a38f16898930dcff51e64202b993f09896d78f075b49166b1b15a7fb8412c9ccb6b9336b1d37e1b7795 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe
| MD5 | 8b6ba4a9bce622ab6c2382f237094790 |
| SHA1 | 5aa259129e10b8aebcc3901f358d7691a9c7b489 |
| SHA256 | 5f45ef1c639aa7a86920811f451d3dfd28dda4072095a33f45211a948697f863 |
| SHA512 | 24323f4e99ce982f339585ee3fd38557d17d75082e73db51b98cc07e65486c0a25e917282147123c7f65c5ec472fd4a42fffc7a47c5e6017880635d112bdd7c3 |
memory/4524-14-0x00007FF8BC3D3000-0x00007FF8BC3D5000-memory.dmp
memory/4524-15-0x00000000006E0000-0x00000000006EA000-memory.dmp
memory/4524-16-0x00007FF8BC3D3000-0x00007FF8BC3D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe
| MD5 | 5ef0693cb43dbe4e7dfa7ebd20873d0b |
| SHA1 | 3b589818fd017cd1a2730d4e9662d51f1de9bfc2 |
| SHA256 | c14ffcc37b9ba5d0127b3fe47247326a990c901f8930097040035acf0b7c5067 |
| SHA512 | 8d25f1b2d5666a15cd6638370732fbf5ab4ecb5eccd76028721de196c647f4113134e3cb7383a69d563742f2e9133243992e90bf41e9d09d04355019da7793f0 |
memory/944-22-0x0000000004A80000-0x0000000004AC6000-memory.dmp
memory/944-23-0x0000000007350000-0x00000000078F4000-memory.dmp
memory/944-24-0x0000000007190000-0x00000000071D4000-memory.dmp
memory/944-34-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-36-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-32-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-76-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-48-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-30-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-28-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-26-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-25-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-88-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-86-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-84-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-82-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-80-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-78-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-74-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-72-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-70-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-68-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-66-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-64-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-62-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-60-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-58-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-56-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-54-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-52-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-50-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-46-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-44-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-42-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-41-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-38-0x0000000007190000-0x00000000071CF000-memory.dmp
memory/944-931-0x0000000007900000-0x0000000007F18000-memory.dmp
memory/944-932-0x0000000007F20000-0x000000000802A000-memory.dmp
memory/944-933-0x00000000072B0000-0x00000000072C2000-memory.dmp
memory/944-934-0x00000000072D0000-0x000000000730C000-memory.dmp
memory/944-935-0x0000000008130000-0x000000000817C000-memory.dmp