Analysis Overview
SHA256
89040e7d35b9a12a6e9a529c3b9ec6c29fdd679ce3106d61fd2fe874615d2607
Threat Level: Known bad
The file 64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer family
RedLine payload
Redline family
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:03
Reported
2024-11-11 06:05
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe
"C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe
| MD5 | 2e687e8b9f9a60a425a8a5bf24da6ff6 |
| SHA1 | 3671eb6d985a3f0ddba5a05abe34bc22103e416f |
| SHA256 | fdaef8f50c626e98d36eb43b8ce160805ce5cf729af170fa2554cb0b16bfc485 |
| SHA512 | 8da745662a3dfe315750d73b94494da8093727110461815f41b0748339a5702c58dde9a47966fd68e41cc53130db96f137d47ef580240db3a6889288d534959b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe
| MD5 | b1611126b26d3a820698c71942879f08 |
| SHA1 | 6ddddd6a0535e38f5803811722d1b78ca6470cba |
| SHA256 | c293d6a9a6ee24c93cd2f8656919f39beafa13344084c1ebb459dcf55775d9be |
| SHA512 | 5753c0d9c9bba196ce3b604e0573b373ce5a11f14ff5d1f188163aefe91d040ec3afb68988a138383f627bdbfcd344f49b02379b53c5cdd59d8e20d8258a6c4e |
memory/2316-14-0x00007FFBF20D3000-0x00007FFBF20D5000-memory.dmp
memory/2316-15-0x00000000008F0000-0x00000000008FA000-memory.dmp
memory/2316-16-0x00007FFBF20D3000-0x00007FFBF20D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe
| MD5 | f7d6e6b14eedbc715c605d93c31377be |
| SHA1 | 8bfa77451e5029a6e0560920ff9132295fce4f01 |
| SHA256 | 58eea3db32c479dde630d3fd9c2ddcf0b7b4d28633081841e38de89d4c2ffeba |
| SHA512 | f1b1d2b53e2e7b5aa87472179565ce4ccd8a9822f299e774714b0fab31ed290069428e4a787ecd0d4817f991442c863b3d1f7a981b189d07c7b76040beb0fa56 |
memory/2784-22-0x00000000023E0000-0x0000000002426000-memory.dmp
memory/2784-23-0x0000000004AD0000-0x0000000005074000-memory.dmp
memory/2784-24-0x0000000005080000-0x00000000050C4000-memory.dmp
memory/2784-36-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-38-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-88-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-87-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-84-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-83-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-80-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-78-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-76-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-74-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-72-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-70-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-68-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-66-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-64-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-62-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-58-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-56-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-54-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-52-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-50-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-48-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-46-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-44-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-42-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-40-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-34-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-32-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-30-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-28-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-60-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-26-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-25-0x0000000005080000-0x00000000050BF000-memory.dmp
memory/2784-931-0x00000000050F0000-0x0000000005708000-memory.dmp
memory/2784-932-0x0000000005790000-0x000000000589A000-memory.dmp
memory/2784-933-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/2784-934-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/2784-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp