Analysis Overview
SHA256
159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87
Threat Level: Known bad
The file 159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87 was found to be: Known bad.
Malicious Activity Summary
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Healer
Redline family
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:56
Reported
2024-11-11 05:59
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe
"C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe
| MD5 | b38c65a5338a7fe48d50c4c4cb2daf35 |
| SHA1 | ba94d0ddbbfd240bde94a807fee9460713bfa2b7 |
| SHA256 | bfdc96529af0e6b69c7b1d25dbe25f2e26636ddc561d08d292ec16bd883583c6 |
| SHA512 | 502abf162c0be034438aabc127749a0e7f8e1e4b6558f1f681f6fe8c4eda59ec637b02065a5fb255adbac1b8201dfc1f0c739b4fd500a62122263d78f4db8980 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe
| MD5 | 73134dc69bf75f1fe9445f5a1abd33b2 |
| SHA1 | aac3020388e507fc5773aecc6137236a8cc6e93a |
| SHA256 | 4a2915caf515fd0a21c938255a3e481bcb24b6c2a2efeb3baff54821a7c92dc5 |
| SHA512 | 76c82052035408c41be17141a663d79224dc3c8660438e2cbc424d93d5a6994fa8608ed63114d74cc747dc2e923ac4c4866d41a2c76984ef8e6874b006fe547b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3708-21-0x00007FFA20253000-0x00007FFA20255000-memory.dmp
memory/3708-22-0x00000000000F0000-0x00000000000FA000-memory.dmp
memory/3708-23-0x00007FFA20253000-0x00007FFA20255000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe
| MD5 | c36000ca77135ecfb10ededd0c983c82 |
| SHA1 | bb1a20ecd15434c05841a785c873bd27c8baa35c |
| SHA256 | 4c566252d4a71abda6544c6509e034515e5e99635c4658678e0e45a22a4be58d |
| SHA512 | 7b828cf571f71474d398db521f6bdfb7ce81a9149a9dcc3a499d3df25f7541e5cb1e05b87044ad93923717b128680674c1420e7e5db5cf516a484931663c0f7d |
memory/2976-29-0x00000000025E0000-0x000000000261C000-memory.dmp
memory/2976-30-0x0000000005070000-0x0000000005614000-memory.dmp
memory/2976-31-0x0000000004E90000-0x0000000004ECA000-memory.dmp
memory/2976-45-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-43-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-42-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-39-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-37-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-35-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-33-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-32-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-95-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-93-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-91-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-89-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-88-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-85-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-825-0x0000000007FC0000-0x0000000007FD2000-memory.dmp
memory/2976-826-0x0000000007FE0000-0x00000000080EA000-memory.dmp
memory/2976-824-0x00000000079A0000-0x0000000007FB8000-memory.dmp
memory/2976-83-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-81-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-79-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-77-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-75-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-73-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-71-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-69-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-67-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-65-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-63-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-61-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-59-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-57-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-55-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-53-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-51-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-49-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-47-0x0000000004E90000-0x0000000004EC5000-memory.dmp
memory/2976-827-0x00000000080F0000-0x000000000812C000-memory.dmp
memory/2976-828-0x00000000049C0000-0x0000000004A0C000-memory.dmp