Analysis Overview
SHA256
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5ba
Threat Level: Known bad
The file b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer family
RedLine payload
Healer
Redline family
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:29
Reported
2024-11-13 20:31
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
118s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe
"C:\Users\Admin\AppData\Local\Temp\b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe
| MD5 | 6b87024cba8409bfdd3ec28ab0840fb3 |
| SHA1 | cf7a9688818259221a09c14dc45effd49660e018 |
| SHA256 | 87bad030c63cc33105fe9e2a8a2dfd73afb9568861be9122e49f6ef660fcc14e |
| SHA512 | 4b4bc0d62d6bbf62e63233b0340f982a5e09555af2d9aca3cc46666b174ebd1e22b1fc469ffca398c4ceba2fc79a824d158990a916a1b731ddb2fe44c01d9bec |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe
| MD5 | c07e7dd09767fc403da8db079ee85538 |
| SHA1 | 1eaa2f6f4217f2927d9be1a8d1fb52e1d4e1b028 |
| SHA256 | d967abdd02a35ed38f41f70d66ded44595a7343fcfdcdf2c4ca7abbd691421be |
| SHA512 | b189fdb21ad8d81840eeae2e1e14f3d972b9844af7589cbc193b6de9061f79b54b3726ba5c2551b68a86c82dbe1c17d76ef9e465960f5578a949837d5c2c7848 |
memory/4784-14-0x00007FFE2FD43000-0x00007FFE2FD45000-memory.dmp
memory/4784-15-0x0000000000310000-0x000000000031A000-memory.dmp
memory/4784-16-0x00007FFE2FD43000-0x00007FFE2FD45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe
| MD5 | a0ae2f9a9ce483075bc2bb8b2803045a |
| SHA1 | 533869845256977e3dbe29489ffbe4582a79339c |
| SHA256 | 325c76ceb7c0fad76e6554adfd954a0b8aed24f3942a71fbbb25b288071afb22 |
| SHA512 | 1443808e4d17a5c232abb23daf20f51de362806a5d3cc78b530d87d8d5bc5f9c6884b741c7469f1eceb49ac0813f2a732936cb70886d35bf436dc4de5163958c |
memory/3512-22-0x00000000024A0000-0x00000000024E6000-memory.dmp
memory/3512-23-0x0000000004BA0000-0x0000000005144000-memory.dmp
memory/3512-24-0x0000000002530000-0x0000000002574000-memory.dmp
memory/3512-30-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-28-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-26-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-25-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-42-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-88-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-86-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-84-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-80-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-78-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-76-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-74-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-72-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-70-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-68-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-64-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-62-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-60-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-58-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-56-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-54-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-52-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-50-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-48-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-46-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-40-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-38-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-36-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-34-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-32-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-82-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-66-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-44-0x0000000002530000-0x000000000256F000-memory.dmp
memory/3512-931-0x0000000005150000-0x0000000005768000-memory.dmp
memory/3512-932-0x0000000005790000-0x000000000589A000-memory.dmp
memory/3512-933-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/3512-934-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/3512-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp