Analysis Overview
SHA256
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e
Threat Level: Known bad
The file 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Redline family
Modifies Windows Defender Real-time Protection settings
Healer family
Detects Healer an antivirus disabler dropper
RedLine
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:35
Reported
2024-11-10 01:38
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe
"C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe
| MD5 | 453caf4621b7526ca21145b49d2182ba |
| SHA1 | c3635af0cba2e6116e3929d5f7709256ee48c83c |
| SHA256 | 6e901c14b05d47af830581d7cd25acb6f700fe4acd93c4308b6c827423153608 |
| SHA512 | 299fa64b1aa8a66a53f58eb47df810d5bf3eaf24401ab409a16504042a506334bafe996668d0398de95dd83e820242f0aa07a489b7cdb5cb8684f513aaa3a0f2 |
memory/1416-14-0x00007FFBA03A3000-0x00007FFBA03A5000-memory.dmp
memory/1416-15-0x00000000002E0000-0x00000000002EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe
| MD5 | b78b5dc0c84dc01601e6c148f8630fbd |
| SHA1 | a60b5a7c82be01561245f1c7d4f3fb5db3b0d0df |
| SHA256 | ae8d23ea29924ba92b9bff0a42c084d7a9099b3a3a7323f0452f88faa210ef7b |
| SHA512 | 7d3189336a486852068fb968ede4c90e0dd6006f341c28ea1a26b5f299d354d0dd1612ff5d88340f802da613188186b14da0a0b0ba76cfc40645ca201d56e12f |
memory/1416-16-0x00007FFBA03A3000-0x00007FFBA03A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe
| MD5 | fbe17bf3c93046aa153d79a8b2da1ff9 |
| SHA1 | 8d46ee807f4e5e2e8e8e49704af4f09be8ef2ea3 |
| SHA256 | bdfd37922ec2f475fd64694052767b7e81c5994570e967f0a3536936849de712 |
| SHA512 | de1f1cf28f4b5bd9765d02b9981425401563a5480843b8204b12cfbd37fd3773d5d613d179ed3331e3a970813d1d49614ee24c1d215acea129af813b574530e9 |
memory/2668-22-0x00000000027E0000-0x0000000002826000-memory.dmp
memory/2668-23-0x0000000004F60000-0x0000000005504000-memory.dmp
memory/2668-24-0x0000000004E20000-0x0000000004E64000-memory.dmp
memory/2668-32-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-30-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-28-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-26-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-46-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-88-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-86-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-85-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-82-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-81-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-78-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-74-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-72-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-70-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-66-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-64-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-62-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-60-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-58-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-56-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-54-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-52-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-50-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-44-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-42-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-40-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-38-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-36-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-34-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-68-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-48-0x0000000004E20000-0x0000000004E5F000-memory.dmp
memory/2668-931-0x0000000005510000-0x0000000005B28000-memory.dmp
memory/2668-932-0x0000000005B30000-0x0000000005C3A000-memory.dmp
memory/2668-933-0x0000000005C40000-0x0000000005C52000-memory.dmp
memory/2668-934-0x0000000005C60000-0x0000000005C9C000-memory.dmp
memory/2668-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp