Analysis Overview
SHA256
34d6dfbbbcc3b00df0239abc99d13989384b59c2fb0cdebfa01210c8065c9b4b
Threat Level: Known bad
The file 34d6dfbbbcc3b00df0239abc99d13989384b59c2fb0cdebfa01210c8065c9b4b was found to be: Known bad.
Malicious Activity Summary
Healer
Redline family
Detects Healer an antivirus disabler dropper
RedLine
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer family
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:47
Reported
2024-11-10 00:49
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAR1331.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr773410.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\34d6dfbbbcc3b00df0239abc99d13989384b59c2fb0cdebfa01210c8065c9b4b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAR1331.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAR1331.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr773410.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34d6dfbbbcc3b00df0239abc99d13989384b59c2fb0cdebfa01210c8065c9b4b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34d6dfbbbcc3b00df0239abc99d13989384b59c2fb0cdebfa01210c8065c9b4b.exe
"C:\Users\Admin\AppData\Local\Temp\34d6dfbbbcc3b00df0239abc99d13989384b59c2fb0cdebfa01210c8065c9b4b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAR1331.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAR1331.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4840 -ip 4840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1496
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr773410.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr773410.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAR1331.exe
| MD5 | 1b8eea6407d6f605b586fa44b07d2ac6 |
| SHA1 | 1e0002e35163e9033f8860d64c8302aeff4f3dbe |
| SHA256 | eaef68d76c03cdc4fd8ac8ddd08a79dbb6aefdeaea6c5d1d429a7dcb4c2cf2bc |
| SHA512 | d80db79b01c1b5c84ee3e4a510a587606f014cf7871ff08dee6750dff47d6859b30198bd00f36f65505fae0c5d38cc2e5af49f02a1f3fdc21dbf7f3d2f39adaf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr128250.exe
| MD5 | f3961ba46ebcd9b1a379c3dba351caa6 |
| SHA1 | a166a4922cf22c91700620dcfb2e395f5083c031 |
| SHA256 | 2b9623c111cc446200bd41dcc999b1bc6391c45f1aba03f784d7bb329087def8 |
| SHA512 | 72c960471662ed606032077c63799397ea3316c258ecf2520b17e2c58369f6a6b39e684870ada653ba272c0f2851d471c203f55b7067d04893a5224b833777d2 |
memory/1640-14-0x00007FF989293000-0x00007FF989295000-memory.dmp
memory/1640-15-0x0000000000960000-0x000000000096A000-memory.dmp
memory/1640-16-0x00007FF989293000-0x00007FF989295000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku132695.exe
| MD5 | 1f77dad494d0b05292c1fe63c7924c9e |
| SHA1 | 50ccb066cbb02d33529d127fd55f8d7a43a2757b |
| SHA256 | f452b7a0c6e542d16a1c0f7a2c314aec629bd05c89c43f2421498ba23a3ceee8 |
| SHA512 | 97ac8817e538f6efb28440279841febe210d6a4ad8adc6f4100658c542f58a6a0cc3a48c022abad735d15d225288c2223d15f887da4bd9146d2a37b449a5c9e4 |
memory/4840-22-0x0000000004CC0000-0x0000000004D26000-memory.dmp
memory/4840-23-0x0000000004D30000-0x00000000052D4000-memory.dmp
memory/4840-24-0x00000000052F0000-0x0000000005356000-memory.dmp
memory/4840-26-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-50-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-48-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-47-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-44-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-42-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-40-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-82-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-38-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-36-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-34-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-32-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-60-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-30-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-52-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-88-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-86-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-84-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-80-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-79-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-76-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-74-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-73-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-70-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-68-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-66-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-64-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-62-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-58-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-56-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-55-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-28-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-25-0x00000000052F0000-0x000000000534F000-memory.dmp
memory/4840-2105-0x0000000005540000-0x0000000005572000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/6284-2118-0x0000000000080000-0x00000000000B0000-memory.dmp
memory/6284-2119-0x00000000006C0000-0x00000000006C6000-memory.dmp
memory/6284-2120-0x0000000004FE0000-0x00000000055F8000-memory.dmp
memory/6284-2121-0x0000000004AD0000-0x0000000004BDA000-memory.dmp
memory/6284-2122-0x0000000004A00000-0x0000000004A12000-memory.dmp
memory/6284-2123-0x0000000004A60000-0x0000000004A9C000-memory.dmp
memory/6284-2124-0x0000000004BE0000-0x0000000004C2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr773410.exe
| MD5 | 535d0e3e7a5d3bdc2e6f515e889d1e65 |
| SHA1 | ec1dbb4e1bdcaa7493283e073fa197bc89ec770a |
| SHA256 | d68dbb2974333453cbad4cca565ce10bceb9a66578a35cecff4b17aa4f1fb8bd |
| SHA512 | a7e2a81910cf3719a72152180d000e92dd0135a6f97a36ed317bcc0a689456b7f001592959fb49b33b804b125afe7b0c9f1089f4ab567bbc7bf52b47f1f96c2e |
memory/6580-2129-0x0000000000ED0000-0x0000000000EFE000-memory.dmp
memory/6580-2130-0x0000000002F70000-0x0000000002F76000-memory.dmp