Analysis Overview
SHA256
b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05
Threat Level: Known bad
The file b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe was found to be: Known bad.
Malicious Activity Summary
Healer family
RedLine payload
Redline family
RedLine
Healer
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 19:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 19:57
Reported
2024-11-12 19:59
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe
"C:\Users\Admin\AppData\Local\Temp\b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe
| MD5 | df42bd21157cc67fad9949d41c1b9e4b |
| SHA1 | f11b5da9d4b78edfea24d3f113b66767f9324aeb |
| SHA256 | 2359247cae8aab023d705f935ba69209c1fa1a35caf7c0daa1c91934a43e9e2a |
| SHA512 | 0b661b0487a32b35281c58e17fbf28e8b8fbfc74f399ffd25677ae996a8c8d226544d44dfe539f5f37c742e2ccf9731efb828b5dbf8cdf16f7ba3ba10a645d1b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe
| MD5 | fd19abf7c35262c58d46f3e7da054ce6 |
| SHA1 | 5b988629ebaae0f71e903a87f262be0b0217dfb0 |
| SHA256 | d8e08e2b04ea44b70b7b98ab693ca7d2309998dbf85e9232985218b2de4a2360 |
| SHA512 | 7ff06dc81736869741149ac3776e7d8d53e39c4c7296959145edf53df69fc8a2bb0213a17fae8f82bd648cc128eaff512f2fb794ba27420d65a0b35ca21a9fab |
memory/4444-14-0x00007FF9DEF23000-0x00007FF9DEF25000-memory.dmp
memory/4444-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp
memory/4444-16-0x00007FF9DEF23000-0x00007FF9DEF25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe
| MD5 | 8e9cdab1e9fab42bafe8d8d1112d567a |
| SHA1 | aecc0d3392a7e3b00155379741616c92e23e5926 |
| SHA256 | a0648f39c8ec9405c67aaf8850446baeb0fb1a23cc8a445e98e3c68f18961c0e |
| SHA512 | d1be3611b1797831d4b89a29d1d8014b62c21d068e6b4b61a629869255b201fb379c06b9708017b653674f1b3c9573605249dccc19359fd12976848fbce345c9 |
memory/948-22-0x0000000004A40000-0x0000000004A86000-memory.dmp
memory/948-23-0x0000000004B70000-0x0000000005114000-memory.dmp
memory/948-24-0x0000000004AC0000-0x0000000004B04000-memory.dmp
memory/948-30-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-36-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-88-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-86-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-84-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-80-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-78-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-76-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-72-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-70-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-68-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-66-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-64-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-62-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-61-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-56-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-54-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-52-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-50-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-48-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-46-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-44-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-42-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-40-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-38-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-34-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-32-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-82-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-74-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-58-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-28-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-26-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-25-0x0000000004AC0000-0x0000000004AFF000-memory.dmp
memory/948-931-0x0000000005120000-0x0000000005738000-memory.dmp
memory/948-932-0x0000000005790000-0x000000000589A000-memory.dmp
memory/948-933-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/948-934-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/948-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp