Analysis Overview
SHA256
e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623
Threat Level: Known bad
The file e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623 was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine
RedLine payload
Redline family
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:49
Reported
2024-11-11 06:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe
"C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1944 -ip 1944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1380
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe
| MD5 | f7ebbc4c52f0ade16b33bc23be0db045 |
| SHA1 | 1474a26eee3ffacc267fb7ee7e9bb5502c8ac454 |
| SHA256 | 36f9addac891ee2cc262eeac725de41ce3a57a2be160b174182eca981303266d |
| SHA512 | 1f5c18277728747f2e4ff1aedc7ce7851d06642afb3056987c1c4fd12435e5298ca5c6cb3aab090eab6060d9e9d7d7724ddd81907ff1c7d78fe4f0c634ff367b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe
| MD5 | 63e82dedacf4746ece8ab970e4554ed7 |
| SHA1 | 4618d8b778cab80c6f8b36d9b913b5db97ebd7c8 |
| SHA256 | 97dfa4d777fc85f88bb2313b98ffc7b076279f1c9a1ab2f43f13ef3f4fcdd408 |
| SHA512 | d31eb702b340522ef242246c49538e44ec933c9f0aaddad725681eb19d5b4b6afe2f1f06a6f1e0dfcd9fe8c005f817dc395a1a2ac2db92eafe84d6c134030b31 |
memory/4516-14-0x00007FFD776A3000-0x00007FFD776A5000-memory.dmp
memory/4516-15-0x0000000000250000-0x000000000025A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe
| MD5 | 40fc922d2a6ec7f62f53ecad05f1b820 |
| SHA1 | 7c1e80f0a41438fd430ad275fad4e40f1a786721 |
| SHA256 | 3c1da8b14ca4bc89b4efe0b019f33a96214bd9a11bd54806a0150662da200d2b |
| SHA512 | 513a43f00553a8749405e9ea119489f070f61e06d9edfb8d5532b5e4a3457ed028afa9a5e2918c9653c627ba8b3fa431f520338433a5dc5e46e5f90c107f80b1 |
memory/1944-21-0x00000000025B0000-0x0000000002616000-memory.dmp
memory/1944-22-0x0000000004DB0000-0x0000000005354000-memory.dmp
memory/1944-23-0x0000000005360000-0x00000000053C6000-memory.dmp
memory/1944-25-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-37-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-87-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-85-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-81-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-79-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-77-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-75-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-73-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-71-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-69-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-67-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-65-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-63-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-61-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-59-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-57-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-55-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-51-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-49-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-47-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-45-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-43-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-41-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-39-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-35-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-33-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-31-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-29-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-27-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-83-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-53-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-24-0x0000000005360000-0x00000000053BF000-memory.dmp
memory/1944-2104-0x0000000005550000-0x0000000005582000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/4428-2117-0x00000000001F0000-0x0000000000220000-memory.dmp
memory/4428-2118-0x0000000000B50000-0x0000000000B56000-memory.dmp
memory/4428-2119-0x00000000051A0000-0x00000000057B8000-memory.dmp
memory/4428-2120-0x0000000004C90000-0x0000000004D9A000-memory.dmp
memory/4428-2121-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/4428-2122-0x0000000004BE0000-0x0000000004C1C000-memory.dmp
memory/4428-2123-0x0000000004C20000-0x0000000004C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe
| MD5 | 403d894c45f0d384cec5dca0cec06bd9 |
| SHA1 | 33014a4321c8b6e120f47b1d89314853ad0239d4 |
| SHA256 | e77cc69ef7c57c5d40e30ca5075fb7f129633fbd1de602f2bdc96298dde723e7 |
| SHA512 | a11219a268291a3255e081b47c7dfe2af23cb16a067087198c840b72d9e22de773b7d54e4d822c6ebdf2b662de2e197639d8060605e79558cd836be69edbf3fc |
memory/4236-2128-0x0000000000AA0000-0x0000000000ACE000-memory.dmp
memory/4236-2129-0x0000000002CC0000-0x0000000002CC6000-memory.dmp