Analysis Overview
SHA256
39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c
Threat Level: Known bad
The file 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
Healer
RedLine
Redline family
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:06
Reported
2024-11-10 03:08
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe
"C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe
| MD5 | 78003b1ea497f6f84f7afad641859118 |
| SHA1 | fc8afa0ba93ff6fdb32b3e676b552702108fbf70 |
| SHA256 | dc126269651b47efa91d6bc1a6b1605a8a18cdd5356df33741bbdd670123ef1b |
| SHA512 | 72d5728ed0afa62881ebe54cf999f8868f75e130dba166d945666367ab821413d3cb02ad985e4683524f18c358560cd61159fb21186755c48b26b33fdcc34252 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe
| MD5 | a2a8ebd2d93bb408c2d46f89c35b9311 |
| SHA1 | 6b4c7e88f6153783580daf181ce95c1ad51d96bf |
| SHA256 | a2bbb490986f915ee0fcffee1d57bbd8bd86e38089332ebfa1d7c9a2ce8900fa |
| SHA512 | ee3b4fb8a8dcc407fda4cc916159a1d07392c6cabb92ab80009a1cc719a27cb2c91944ec79b602886b325d493ea80111959f824317833705a48036608c1a5431 |
memory/2648-14-0x00007FFA074F3000-0x00007FFA074F5000-memory.dmp
memory/2648-15-0x00000000008F0000-0x00000000008FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe
| MD5 | 11aff3a44973cce6d628ed29341607b4 |
| SHA1 | c20444542e2a0c8081cfc47c793e2a02826f8f89 |
| SHA256 | d035c4ca01bf0cee293a8e35ff34768355c8748567108fdd5dfa3c4d89816d3c |
| SHA512 | 76eae33deb8ebea5d725b134c923711513fd6f1eb642310ac504685f1411727610f4ef7ea7db3f2c085807d5c3b8a32fcf2d46ff634d49f5b10cb94e2336f0a7 |
memory/3184-21-0x0000000002700000-0x0000000002746000-memory.dmp
memory/3184-22-0x0000000004EE0000-0x0000000005484000-memory.dmp
memory/3184-23-0x0000000002800000-0x0000000002844000-memory.dmp
memory/3184-35-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-39-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-37-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-33-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-31-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-73-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-61-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-47-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-41-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-87-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-85-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-83-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-81-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-79-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-77-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-75-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-71-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-69-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-67-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-65-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-63-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-59-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-57-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-55-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-53-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-51-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-49-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-45-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-43-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-29-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-27-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-25-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-24-0x0000000002800000-0x000000000283F000-memory.dmp
memory/3184-930-0x0000000005590000-0x0000000005BA8000-memory.dmp
memory/3184-931-0x0000000005C20000-0x0000000005D2A000-memory.dmp
memory/3184-932-0x0000000005D60000-0x0000000005D72000-memory.dmp
memory/3184-933-0x0000000005D80000-0x0000000005DBC000-memory.dmp
memory/3184-934-0x0000000005ED0000-0x0000000005F1C000-memory.dmp