Analysis Overview
SHA256
8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c
Threat Level: Known bad
The file 8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Modifies Windows Defender Real-time Protection settings
Healer
Redline family
Healer family
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:35
Reported
2024-11-13 15:37
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe
"C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe
| MD5 | 09d6549c050cbc2102aea2805ea6ae7f |
| SHA1 | a8cce3823c31fd2f4ae739ed34e22ee8077ad80d |
| SHA256 | de49136d49ba2505f96ce09850f5d1d5e42cdc778ee9f3612ff6a210e06e3659 |
| SHA512 | a6a8aa1d66e2c0248c2d79afa98955349e37018be5c72d7d117284b4fecd4003100df7abab796943898f4724d51cc5bb51e5484e5b9636e90e39b21030d58eaf |
memory/464-7-0x00007FFF150C3000-0x00007FFF150C5000-memory.dmp
memory/464-8-0x00000000004D0000-0x00000000004DA000-memory.dmp
memory/464-9-0x00007FFF150C3000-0x00007FFF150C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe
| MD5 | a4a05c93db35cc7c59daa86bf049d333 |
| SHA1 | bf63cd10338fcd1005d853bcc1403cfe146683aa |
| SHA256 | 8969a5cf711d67cebaec37961d0a57fa40b0ecc6461a6dc772930f248f2624de |
| SHA512 | 80fa62ab015e93470e4ca3b6c80fa8e450b181a2c3d3da565a12654bc8bfaca29de25535459c6571487a163e240bfdd09929b49193dd5d272bc92210327334f8 |
memory/764-15-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/764-16-0x0000000000AC0000-0x0000000000B0B000-memory.dmp
memory/764-17-0x0000000000400000-0x000000000044E000-memory.dmp
memory/764-18-0x0000000002700000-0x0000000002746000-memory.dmp
memory/764-19-0x0000000004D90000-0x0000000005334000-memory.dmp
memory/764-20-0x00000000053A0000-0x00000000053E4000-memory.dmp
memory/764-70-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-74-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-84-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-80-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-78-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-76-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-72-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-68-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-66-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-64-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-62-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-60-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-56-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-54-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-52-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-51-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-48-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-46-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-44-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-42-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-40-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-38-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-36-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-32-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-30-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-28-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-82-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-21-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-58-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-34-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-26-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-24-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-22-0x00000000053A0000-0x00000000053DF000-memory.dmp
memory/764-927-0x0000000005440000-0x0000000005A58000-memory.dmp
memory/764-928-0x0000000005AE0000-0x0000000005BEA000-memory.dmp
memory/764-929-0x0000000005C20000-0x0000000005C32000-memory.dmp
memory/764-930-0x0000000005C40000-0x0000000005C7C000-memory.dmp
memory/764-931-0x0000000005D90000-0x0000000005DDC000-memory.dmp
memory/764-932-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/764-933-0x0000000000AC0000-0x0000000000B0B000-memory.dmp
memory/764-935-0x0000000000400000-0x000000000044E000-memory.dmp