Analysis Overview
SHA256
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922
Threat Level: Known bad
The file c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
Healer
Healer family
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:44
Reported
2024-11-10 01:47
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe
"C:\Users\Admin\AppData\Local\Temp\c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe
| MD5 | 0c5145e81a61700e8d0da8e47b34059d |
| SHA1 | 16fc010adfb17bad9da5e34a352a645791cd896d |
| SHA256 | df2e4511945476602f3af5cc347bffdd1dacb41cf9d40a0c1727a9358bd7b9c1 |
| SHA512 | 7893485adcdcd4d56500045ce3c100daeda2dbf87bcacee4591e9cf32d820812e9b6a086b4fb6e48249bd9c2baf3c50527894a708cd9dcfb8648070f1417a2a5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe
| MD5 | 7f701014771a9ef8d06c498b3734cdb4 |
| SHA1 | 09c5b8d831f3940f1921d8e2cd00f1d464cb47dc |
| SHA256 | b1f5b845cae48b901546620acb31987b7e081242a34b517d31f1589ef1ddb299 |
| SHA512 | 78af338bc4e9a309d76c43417970ba6c7a4f53fb730739cc118faf04aea7e2c4e69b98b8efdfc4699836fc2f0e8530e47742cf50efe8ca2a1cf066111d4f4d6d |
memory/752-14-0x00007FFF6FB13000-0x00007FFF6FB15000-memory.dmp
memory/752-15-0x0000000000A40000-0x0000000000A4A000-memory.dmp
memory/752-16-0x00007FFF6FB13000-0x00007FFF6FB15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe
| MD5 | 53bba0bc55ab1eee43ce020307b7cf8e |
| SHA1 | 47a52eaeb0933f2924cce206a0931dadee719386 |
| SHA256 | 999dac0598925e1f9fbccc9fcaa8ce539d46bed5e40c1da4073e5ff9794a422c |
| SHA512 | a400de016058e6c2596513b3096ffe3894afe04e77e8eadcf89cb4ee89ce02a8e2787b08da3559cb833dcc5645f001021b8819746372e4c26de48cccdcf194f5 |
memory/3764-22-0x0000000002510000-0x0000000002556000-memory.dmp
memory/3764-23-0x0000000004B00000-0x00000000050A4000-memory.dmp
memory/3764-24-0x00000000050B0000-0x00000000050F4000-memory.dmp
memory/3764-66-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-82-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-86-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-84-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-80-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-78-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-76-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-74-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-72-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-70-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-68-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-64-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-62-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-60-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-58-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-56-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-54-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-52-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-50-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-48-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-46-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-42-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-40-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-38-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-36-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-34-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-32-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-30-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-88-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-44-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-28-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-26-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-25-0x00000000050B0000-0x00000000050EF000-memory.dmp
memory/3764-931-0x00000000050F0000-0x0000000005708000-memory.dmp
memory/3764-932-0x0000000005790000-0x000000000589A000-memory.dmp
memory/3764-933-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/3764-934-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/3764-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp