Analysis Overview
SHA256
f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6ed
Threat Level: Known bad
The file f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Healer family
Redline family
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:57
Reported
2024-11-13 18:59
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe
"C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe
| MD5 | acc23556c09597b1481c68f178b6a193 |
| SHA1 | b934009fca742e9723c8f359f383a30a0f38527d |
| SHA256 | 74f7aecb49a321ffad49d08ea486a6ab50e964d54e383edcc4954c9c9ce5fda1 |
| SHA512 | 3a2576090272a8d6d38ea50cdf789d55ad140f87a21db1efd8bf2d5e4fb023db0024d7e03015fac96811c08645c6471d3a8afbc7e0579c219f89fc3c08c7cd13 |
memory/5080-7-0x00007FFA3C6D3000-0x00007FFA3C6D5000-memory.dmp
memory/5080-8-0x00000000009D0000-0x00000000009DA000-memory.dmp
memory/5080-9-0x00007FFA3C6D3000-0x00007FFA3C6D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe
| MD5 | ab8d0323fd5702edab0603a367ee3264 |
| SHA1 | 04a4b673b395d414db240b49b7b4aa5218f1a09e |
| SHA256 | 37e7c4738c5649db5408f15fd8b7b704f8c0908e48e36ed9c9fd0c847dd0640b |
| SHA512 | 5f25049b12edeaea53c9bf709a3848c4378c458a7fa87dced8ec83ff18f67ad9b6652081c59bb43ef5af4947bec2bec85cc544ff4dd297132ca1c1db69a55dc2 |
memory/1008-17-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1008-16-0x0000000000630000-0x000000000067B000-memory.dmp
memory/1008-15-0x0000000000680000-0x0000000000780000-memory.dmp
memory/1008-18-0x0000000004B40000-0x0000000004B86000-memory.dmp
memory/1008-19-0x0000000004BD0000-0x0000000005174000-memory.dmp
memory/1008-20-0x0000000005190000-0x00000000051D4000-memory.dmp
memory/1008-24-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-34-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-84-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-82-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-81-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-78-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-76-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-74-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-72-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-70-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-68-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-66-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-64-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-60-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-58-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-56-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-54-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-52-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-50-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-48-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-46-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-44-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-40-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-38-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-36-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-32-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-30-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-28-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-26-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-62-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-42-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-22-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-21-0x0000000005190000-0x00000000051CF000-memory.dmp
memory/1008-927-0x0000000005230000-0x0000000005848000-memory.dmp
memory/1008-928-0x00000000058D0000-0x00000000059DA000-memory.dmp
memory/1008-929-0x0000000005A10000-0x0000000005A22000-memory.dmp
memory/1008-930-0x0000000005A30000-0x0000000005A6C000-memory.dmp
memory/1008-931-0x0000000005B80000-0x0000000005BCC000-memory.dmp
memory/1008-932-0x0000000000680000-0x0000000000780000-memory.dmp
memory/1008-933-0x0000000000630000-0x000000000067B000-memory.dmp
memory/1008-935-0x0000000000400000-0x000000000044E000-memory.dmp