Analysis Overview
SHA256
39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d
Threat Level: Known bad
The file 39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:35
Reported
2024-11-10 00:38
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe
"C:\Users\Admin\AppData\Local\Temp\39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe
| MD5 | 09fe6ff05df5de6d5210e77a726373da |
| SHA1 | b6f4c516087879362bf3be58b633056ad55b1323 |
| SHA256 | 55cb7ed0521fd0ff93b2d3ba7231ceb469f06b0964a67b1cc857d0afeb688c90 |
| SHA512 | 999ef816cd0ab085386d35233c3f335fa89219517317aa4e8a884aff94f7467556883cfd179c51487223acccacdf4ff49b49e6d0161e7c104f939b3fe83f8df4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe
| MD5 | fb91eb9f56ec57168f60ae2e245db685 |
| SHA1 | 6acebb1f996c7b387141d7faaf39600bd876abf1 |
| SHA256 | 80bad4098fbf1079be9b5863cdd18e067807b9ada8b8102bb4dd6655e43abc76 |
| SHA512 | 41623e457c33fc204bbe46649d3b2de48c60ed43a99b2bc1819bd8ef62d50c11abd797228eadca9435d0c5ae3f2d8e5da3e5268fbc7d4f6111828930f30a1d87 |
memory/4612-14-0x00007FFDCED93000-0x00007FFDCED95000-memory.dmp
memory/4612-15-0x0000000000D90000-0x0000000000D9A000-memory.dmp
memory/4612-16-0x00007FFDCED93000-0x00007FFDCED95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe
| MD5 | 9ae13ee0a939b2857533236343e09077 |
| SHA1 | 3dbcd4caba2c2a3142264eca6580d3d988df0169 |
| SHA256 | 243fa215f6d26afbea2848915e3c7010e4d4eb50d137fed90a0a040938b350eb |
| SHA512 | 9d5639ab105bc90d2434f8133a0e2a466954bec88aa412c002c6e78652eee7534d2a798aaa805d3378504fee27bbee91f8de332061e6c6c31a18e91a6094ef37 |
memory/4688-22-0x0000000002480000-0x00000000024C6000-memory.dmp
memory/4688-23-0x0000000004BD0000-0x0000000005174000-memory.dmp
memory/4688-24-0x0000000004A90000-0x0000000004AD4000-memory.dmp
memory/4688-40-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-46-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-931-0x0000000005180000-0x0000000005798000-memory.dmp
memory/4688-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-932-0x00000000057A0000-0x00000000058AA000-memory.dmp
memory/4688-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-58-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-56-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-54-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-50-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-48-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-44-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-42-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-38-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-36-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-34-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-32-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-30-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-52-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-28-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-26-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-25-0x0000000004A90000-0x0000000004ACF000-memory.dmp
memory/4688-933-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/4688-934-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/4688-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp