Analysis Overview
SHA256
672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153
Threat Level: Known bad
The file 672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Healer family
Modifies Windows Defender Real-time Protection settings
Healer
Detects Healer an antivirus disabler dropper
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:46
Reported
2024-11-11 06:48
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe
"C:\Users\Admin\AppData\Local\Temp\672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe
| MD5 | ac9302362f40969c2f5b106deffa5f85 |
| SHA1 | 116110ee39e98cf50c1163c3e8734365dd51a75f |
| SHA256 | 9734876e56127779c16c56169e29afe98627f7b8c78daddffd2a6b215d23a14d |
| SHA512 | 541ac86f7afaf2697c21c22de02c7365cb6ee5f4039510e85c9e3e0a3c924d424283003c2d5a83e4556bc18b90095b5a53e5265db61918d4ded7ff100e737d8b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe
| MD5 | 14eb297a713e4ef5115503f47f1945e3 |
| SHA1 | 43c61e204d9a2453eef79a03ba733d64ab620518 |
| SHA256 | f8b8831a73eefa6069f52d3f21981d4dd6ddda47082dcabb98111a2fdb50fedc |
| SHA512 | d1bf72f37c50fc3354d6b6f0f84e253be93985965e70ab59492858fa696041bcd1d62d5807ccb2dec1bffcce11a9a97b8bbd794fe94d6e9beb083ef5beb68f3f |
memory/1280-14-0x00007FFE2D973000-0x00007FFE2D975000-memory.dmp
memory/1280-15-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/1280-16-0x00007FFE2D973000-0x00007FFE2D975000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe
| MD5 | d27ff91ccdcd0a00d9182b5c9e53e055 |
| SHA1 | f9623c3f3cc2cfab207f714d8403901f03a3a110 |
| SHA256 | 4f9ad77b99653cd4be088bd7c754e898aabcce5b1c3d127be721ba47622ccd30 |
| SHA512 | c73d6cf52ba9916e7cf6deec3413622aece1b7509976cbd04800b166d2e8ecbcb21f82590ceef2bcfe37f481d3006ba6ed48895fc4138baad1ee7d97518a372b |
memory/4376-22-0x0000000004E70000-0x0000000004EB6000-memory.dmp
memory/4376-23-0x0000000004F90000-0x0000000005534000-memory.dmp
memory/4376-24-0x0000000004F30000-0x0000000004F74000-memory.dmp
memory/4376-34-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-40-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-88-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-86-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-82-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-80-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-78-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-76-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-74-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-72-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-70-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-66-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-64-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-62-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-60-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-59-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-56-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-54-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-52-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-50-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-46-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-44-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-43-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-38-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-36-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-84-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-68-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-48-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-32-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-30-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-28-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-26-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-25-0x0000000004F30000-0x0000000004F6F000-memory.dmp
memory/4376-931-0x0000000005590000-0x0000000005BA8000-memory.dmp
memory/4376-932-0x0000000005C30000-0x0000000005D3A000-memory.dmp
memory/4376-933-0x0000000005D70000-0x0000000005D82000-memory.dmp
memory/4376-934-0x0000000005D90000-0x0000000005DCC000-memory.dmp
memory/4376-935-0x0000000005EE0000-0x0000000005F2C000-memory.dmp