Analysis Overview
SHA256
3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6
Threat Level: Known bad
The file 3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:55
Reported
2024-11-10 01:58
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe
"C:\Users\Admin\AppData\Local\Temp\3cadeb1412038cb87c73f5a878df103d6e3cbcf7e70368b1ddea050a37f95bc6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijM1449.exe
| MD5 | 269c061be40bf72e5dbd3bb8de268247 |
| SHA1 | f64e5b35e55392fe1660f131f3fe009d9bccee86 |
| SHA256 | 6124e455bd63ce14f87c0d1fde1ea6803cbb1b8b1c90dc60d985c675176da2f2 |
| SHA512 | ddde42c14999510ff8ff6d46369eabb7bbe805fec270ccdacb4eea6a149f9a7bccf965c470bc8fd33af119653fc322b49cfea08ae929fb8d3e81c8745cd7798c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr793500.exe
| MD5 | 35c7b776264521bd51fda9105abf1923 |
| SHA1 | d700beb66e08351e9426da6abb284180c059f906 |
| SHA256 | 882b0bc69eef92d84be66182f3d509dc04e158173db7695acf177d4736cddefa |
| SHA512 | 48e1cb6944e1f1ef8ce1af2b74841997162bd8c1a6a6d669af8100c978228a7a4badaf6081749ab9749222c1a58a394f15bb4b8d9bc10295723b5b7ef6103c1c |
memory/1664-14-0x00007FFE57DD3000-0x00007FFE57DD5000-memory.dmp
memory/1664-15-0x0000000000AB0000-0x0000000000ABA000-memory.dmp
memory/1664-16-0x00007FFE57DD3000-0x00007FFE57DD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku636586.exe
| MD5 | e2c078b911b9cac76de7be9ac1825cc2 |
| SHA1 | e1e23a45313bb6263188da66b9043ef1e915f0b7 |
| SHA256 | bb331c5b18d82bc84daa4d06ab1246d0c1fdeb83131a1ac63995ebd9d3ff810f |
| SHA512 | 8bcf57fbf5f8a94e35efc65d0b22143287b6d5f1a178e5dc7944896cf9895eb4f8e3bb182f7bc3f214b9efb4c42ac969970759cf17407c49f61ea9cc456fa1a6 |
memory/3360-22-0x0000000004AA0000-0x0000000004AE6000-memory.dmp
memory/3360-23-0x0000000004C00000-0x00000000051A4000-memory.dmp
memory/3360-24-0x0000000004B20000-0x0000000004B64000-memory.dmp
memory/3360-28-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-40-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-88-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-86-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-84-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-82-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-80-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-78-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-76-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-72-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-70-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-69-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-66-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-64-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-62-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-60-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-58-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-56-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-54-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-50-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-48-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-46-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-45-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-38-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-36-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-34-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-32-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-30-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-74-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-52-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-42-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-26-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-25-0x0000000004B20000-0x0000000004B5F000-memory.dmp
memory/3360-931-0x00000000051B0000-0x00000000057C8000-memory.dmp
memory/3360-932-0x00000000057D0000-0x00000000058DA000-memory.dmp
memory/3360-933-0x00000000058E0000-0x00000000058F2000-memory.dmp
memory/3360-934-0x0000000005900000-0x000000000593C000-memory.dmp
memory/3360-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp