Analysis Overview
SHA256
e47b3c1321018ed6f7099724b15dbf0b4c8c7219034e88da0bb75c020895a303
Threat Level: Known bad
The file e47b3c1321018ed6f7099724b15dbf0b4c8c7219034e88da0bb75c020895a303 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine
RedLine payload
Healer family
Healer
Redline family
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:02
Reported
2024-11-10 03:05
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8534.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0150.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8283Kr.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e47b3c1321018ed6f7099724b15dbf0b4c8c7219034e88da0bb75c020895a303.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8534.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0150.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e47b3c1321018ed6f7099724b15dbf0b4c8c7219034e88da0bb75c020895a303.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8534.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0150.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8283Kr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e47b3c1321018ed6f7099724b15dbf0b4c8c7219034e88da0bb75c020895a303.exe
"C:\Users\Admin\AppData\Local\Temp\e47b3c1321018ed6f7099724b15dbf0b4c8c7219034e88da0bb75c020895a303.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8534.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8534.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0150.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0150.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1056
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8283Kr.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8283Kr.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8534.exe
| MD5 | 0d5244144f579964686feac6e33dcc20 |
| SHA1 | fa3adb602905d03b67a88e4780199b9de2bbcdc5 |
| SHA256 | af3a6bc10bb882c07199bc7387bc2c90abf0e962f81bdeff1dccb0d2b9ff6a3c |
| SHA512 | bfa9a3626076f899c916242f69b15bee1d27c0737cab68362b7ceffff733abbca99e12546b76f1566471c36b7a4615475ae4bcb1c9e9b7bb10ddc0073bd63008 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0150.exe
| MD5 | 895a0978523e668c611afb9c3b4d6389 |
| SHA1 | 2154b3729dccfa1f81defbab4f49d08cbff5b254 |
| SHA256 | 5ace32b8f584ea01f90147e75ce02c6a55a095fbde507eec1836831bf03689c3 |
| SHA512 | 95fdf2adfcbb9bf7b857daeacd01a74786a0c727056fc86f8d76f1b8efe205191b6cb0b7c73928cde2fb3c36e680fe5b6bab1b0ce4a4cef8961e7c92d69c8572 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0062jy.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4020-22-0x0000000000630000-0x000000000063A000-memory.dmp
memory/4020-21-0x00007FF91CBA3000-0x00007FF91CBA5000-memory.dmp
memory/4020-23-0x00007FF91CBA3000-0x00007FF91CBA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py71jz69.exe
| MD5 | a338c53dd98115b11bcfc00da9c4e458 |
| SHA1 | f15e2b867f10667e5b0a5000b115b27dc3e15611 |
| SHA256 | 7420c9024d4ec8a4d467836ae4e18b3bd6e1d5c7d03534738ba21e1e2780a454 |
| SHA512 | bfb6c7aa08b6f1742c96e7739d146dd35f13be3a657d0fa4d15a08c0f3832d42ba2e7d2612c1e795092f58d7524290c42343da4db3d281c80f6f624ae709f7f4 |
memory/2924-29-0x0000000002420000-0x000000000243A000-memory.dmp
memory/2924-30-0x0000000004C80000-0x0000000005224000-memory.dmp
memory/2924-31-0x0000000002500000-0x0000000002518000-memory.dmp
memory/2924-32-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-47-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-59-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-57-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-55-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-53-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-51-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-49-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-45-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-43-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-41-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-39-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-37-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-35-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-33-0x0000000002500000-0x0000000002512000-memory.dmp
memory/2924-61-0x0000000000400000-0x00000000004B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8283Kr.exe
| MD5 | 0ecc8ab62b7278cc6650517251f1543c |
| SHA1 | b4273cda193a20d48e83241275ffc34ddad412f2 |
| SHA256 | b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a |
| SHA512 | c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092 |
memory/5056-66-0x0000000000F40000-0x0000000000F72000-memory.dmp
memory/5056-67-0x0000000005D60000-0x0000000006378000-memory.dmp
memory/5056-68-0x00000000058E0000-0x00000000059EA000-memory.dmp
memory/5056-69-0x0000000005810000-0x0000000005822000-memory.dmp
memory/5056-70-0x0000000005870000-0x00000000058AC000-memory.dmp
memory/5056-71-0x00000000059F0000-0x0000000005A3C000-memory.dmp