Analysis Overview
SHA256
106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe
Threat Level: Known bad
The file 106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe was found to be: Known bad.
Malicious Activity Summary
Redline family
Healer
RedLine payload
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer family
RedLine
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:44
Reported
2024-11-13 19:47
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe
"C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe
| MD5 | 410ee0e9160080cbc93b34d7d3d5ae2f |
| SHA1 | 2a7f90789db33e01d6296cbb753b44fc36a129b4 |
| SHA256 | e51ad54d5e20a2992e1ea3c7ae372beac5182dcff70984ee7a73a8194186c347 |
| SHA512 | 06ba783e8dfd1bbc8ee64be212e5f423dfc6840d05986f5a3a06c124f805202161401f752be819d8693ae7e39377b4fdcb64550b00a2605fac2cd7fb6e32ae9d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe
| MD5 | c2a05bf02a5e6ce6beeb1b747f006b3e |
| SHA1 | 801edcbef274e47c522bb985467ced3bff296dfb |
| SHA256 | cb2b0d97af25b121dd8ef83a7003f3cee9469acd374d0d04986be37c76ed060b |
| SHA512 | dc399d61fc7efeea480ef95f008d13c6b040080246eac7efd56e43457af2d0d6a5e89f16c63eb339d98d0b0d2b8ed1879ce4bc707111f5b74f928f1499182d56 |
memory/2820-14-0x0000000000300000-0x000000000030A000-memory.dmp
memory/2820-15-0x00007FFD35C63000-0x00007FFD35C65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe
| MD5 | 846bccad745dd9c3554ac6c3ac4897f0 |
| SHA1 | 207773905bf2ef9a81f9127b914642ca49639def |
| SHA256 | d50e724b0f736b7db102e3d13354825c39e1235e80235adbef29a6ec680a84d9 |
| SHA512 | c5385ed983b366d7627bb0ca26f27a3f5dbbccd9a0c1ba1721cb684fd702846e4dc9f8d4499b86ed69236cdbf364a1a0e5f7f45b49fba93214a9c2c39bbb8c55 |
memory/404-21-0x00000000028F0000-0x0000000002936000-memory.dmp
memory/404-22-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/404-23-0x0000000004F40000-0x0000000004F84000-memory.dmp
memory/404-39-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-37-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-87-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-85-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-83-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-82-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-79-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-75-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-73-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-71-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-69-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-67-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-63-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-59-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-57-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-55-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-53-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-51-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-49-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-47-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-45-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-43-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-41-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-35-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-33-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-31-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-29-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-77-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-65-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-61-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-27-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-25-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-24-0x0000000004F40000-0x0000000004F7F000-memory.dmp
memory/404-930-0x0000000005650000-0x0000000005C68000-memory.dmp
memory/404-931-0x0000000005C70000-0x0000000005D7A000-memory.dmp
memory/404-932-0x0000000005D80000-0x0000000005D92000-memory.dmp
memory/404-933-0x0000000005DA0000-0x0000000005DDC000-memory.dmp
memory/404-934-0x0000000005EE0000-0x0000000005F2C000-memory.dmp