Analysis Overview
SHA256
d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466
Threat Level: Known bad
The file d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
RedLine
Detects Healer an antivirus disabler dropper
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:37
Reported
2024-11-10 01:40
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe
"C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1152
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe
| MD5 | faa38678142a9c6ebb9b880126a3ccc2 |
| SHA1 | b42b7f24f6b77579ed759c5f0de3c64ef1b4e745 |
| SHA256 | f864bf06db4bab702b2388ed7cac5ebda510b1dae9f5e47173e293c78aa4f548 |
| SHA512 | 1e8c70148de394d5718d477083af5363a7e8987f0c42d3094133628de4cb290ed08ade1f42612f58a2f9c9056290693ffd84db59f5e2ab7befc93e04e1368aef |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe
| MD5 | 45346337d024cda0ef18ef2cb4da67f6 |
| SHA1 | c3175487f29b84910512b414e6d0fc2d43328d07 |
| SHA256 | 59e31739f6e1b95f9ce566b5231c93cabd69c1ce2831e33e1be9532d5e43ee1d |
| SHA512 | d324bc0579966b4775742e9a469cb6728aab5f371b7dcb560a4e34af16e75b8bcb01034d52835063052e8ee2bbf3b3b6c350b5718c1df036e3c8d154d6706dd9 |
memory/4264-14-0x00007FFF0C6E3000-0x00007FFF0C6E5000-memory.dmp
memory/4264-15-0x00000000007B0000-0x00000000007BA000-memory.dmp
memory/4264-16-0x00007FFF0C6E3000-0x00007FFF0C6E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe
| MD5 | 70d8ecf871ee7c8ede9bf4efaf95df7b |
| SHA1 | 48421b6f2b9baeefc07022a62f20479f282e0308 |
| SHA256 | 714a62b6cccb6e1bfe3e1f9c4e7163bd01f3ee7eef18e612d4cce3826dc68636 |
| SHA512 | d1f243b8a401ab6f03aecd1916f89d922411b8566634f89f88931d6d3734c75a815db90b808a3f2298cac5f2ab610c2570cfb094b400c1e7c5791fbc51d61474 |
memory/2320-22-0x0000000004CD0000-0x0000000004D36000-memory.dmp
memory/2320-23-0x0000000004D80000-0x0000000005324000-memory.dmp
memory/2320-24-0x0000000005330000-0x0000000005396000-memory.dmp
memory/2320-32-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-28-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-26-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-25-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-44-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-88-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-84-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-82-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-78-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-76-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-74-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-72-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-68-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-66-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-64-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-62-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-60-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-58-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-56-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-54-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-50-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-48-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-46-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-42-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-40-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-38-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-36-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-34-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-30-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-86-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-80-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-70-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-52-0x0000000005330000-0x000000000538F000-memory.dmp
memory/2320-2105-0x0000000005540000-0x0000000005572000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/6640-2118-0x0000000000BE0000-0x0000000000C10000-memory.dmp
memory/6640-2119-0x00000000054C0000-0x00000000054C6000-memory.dmp
memory/6640-2120-0x0000000005BA0000-0x00000000061B8000-memory.dmp
memory/6640-2121-0x0000000005690000-0x000000000579A000-memory.dmp
memory/6640-2122-0x0000000005550000-0x0000000005562000-memory.dmp
memory/6640-2123-0x00000000055C0000-0x00000000055FC000-memory.dmp
memory/6640-2124-0x0000000005610000-0x000000000565C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe
| MD5 | b2a714faf69503233508cce8cda1e251 |
| SHA1 | af306d5ae311826c4b19d26d696a21681238cbf9 |
| SHA256 | b5e216028f1cde2ad3dea20dd34fa5678161edbc5029bcb9a52fa217ff073d35 |
| SHA512 | 25bf24a0b060b650160ee63bfb10dfbfa578694240ef685c63e10aa907604f1b8f388a0bf63fffbd84b55db0fbecfd63fbaa71d458789779a4667f049f6b4c35 |
memory/4220-2129-0x0000000000AF0000-0x0000000000B20000-memory.dmp
memory/4220-2130-0x0000000002E80000-0x0000000002E86000-memory.dmp