Analysis Overview
SHA256
5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb
Threat Level: Known bad
The file 5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb was found to be: Known bad.
Malicious Activity Summary
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine
Healer family
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:06
Reported
2024-11-10 02:08
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe
"C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe
| MD5 | 919ce246648faad27263281f9de19d9c |
| SHA1 | aab9a7a89afcd91dab012be6fdc4a58e5ccd9004 |
| SHA256 | 5c1ab1bf3050c45fa3799aaaa96070923fd7815d9b1fd278f2aa3c94c3e0f057 |
| SHA512 | 4fff470d24a2659ccae9d5ee3bd70f55082656b2291a968a2d1de64c6767b36ef3cee32c17e14d5349c68b418426b8b8384a517b3bc0295886a77873997113e9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe
| MD5 | ee3cd6f82b4479ebf9322653a5307243 |
| SHA1 | 23a2fb6a9a65e1b306c52ed377f037f743453f9d |
| SHA256 | 9806fa5b6a4a2e57aa9db82eac0d9efdab32fca014c195fd3fd19e06331489bd |
| SHA512 | f2f71c505a589801ce8569f904a520be85158ea5505e7640c3f31ebf0b0cd0c5159a51b6169d8b16e68d900eb406ee244be2879ada3783a96dfd4395bc4e122b |
memory/380-14-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp
memory/380-15-0x00000000000A0000-0x00000000000AA000-memory.dmp
memory/380-16-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe
| MD5 | 63aeb4600233cf896c37827e80912729 |
| SHA1 | 93b29d5aadc287e416927db8937aabf543b96fac |
| SHA256 | a8baff8465e0b4d12fc1c05c4467818192e046e3fc28c914e4808d1bc09ddff9 |
| SHA512 | 85bd4d493fcbeae58c3cbf9f399c7507becbd28fd53b97da6ce4af884a2aff8f89c9211fdf2e9cea678246e18924f85c6310f07c68c9b51cdccd6215d6309a3d |
memory/4512-22-0x00000000027E0000-0x0000000002826000-memory.dmp
memory/4512-23-0x0000000004E50000-0x00000000053F4000-memory.dmp
memory/4512-24-0x0000000005440000-0x0000000005484000-memory.dmp
memory/4512-26-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-42-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-88-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-86-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-85-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-82-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-80-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-78-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-76-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-72-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-70-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-68-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-66-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-64-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-62-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-60-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-58-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-54-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-53-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-50-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-48-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-46-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-45-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-40-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-39-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-36-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-34-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-32-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-28-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-74-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-56-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-30-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-25-0x0000000005440000-0x000000000547F000-memory.dmp
memory/4512-931-0x0000000005480000-0x0000000005A98000-memory.dmp
memory/4512-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp
memory/4512-933-0x0000000005C30000-0x0000000005C42000-memory.dmp
memory/4512-934-0x0000000005C50000-0x0000000005C8C000-memory.dmp
memory/4512-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp