Analysis Overview
SHA256
4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87
Threat Level: Known bad
The file 4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 08:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 08:27
Reported
2023-09-10 08:30
Platform
win10v2004-20230831-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4460 set thread context of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe
"C:\Users\Admin\AppData\Local\Temp\4a7a6d2953344489e7d7efc811832551098870b44b2820495685d3d0040c0b87.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 552
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 126.153.27.67.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
| MD5 | a9b7ed2e731d855628624c2277a9d50f |
| SHA1 | 596f433963359f0ca8ffac144866f4b10de69a19 |
| SHA256 | ff6dbc33600cf81f6bacbef7be2acc24041e250401d9acfe44ecdb54d6e69d34 |
| SHA512 | bd3c2b4add9eb72153defd449c38c6c9b78ec7f47189d78c50036fe1c44d0b07262b1312fa6c405db57e3100fa84433a37bda2dd3aa1fc279d37971cf5438558 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6098172.exe
| MD5 | a9b7ed2e731d855628624c2277a9d50f |
| SHA1 | 596f433963359f0ca8ffac144866f4b10de69a19 |
| SHA256 | ff6dbc33600cf81f6bacbef7be2acc24041e250401d9acfe44ecdb54d6e69d34 |
| SHA512 | bd3c2b4add9eb72153defd449c38c6c9b78ec7f47189d78c50036fe1c44d0b07262b1312fa6c405db57e3100fa84433a37bda2dd3aa1fc279d37971cf5438558 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
| MD5 | edda054dc43ca5835c8c6a807e5cc2a6 |
| SHA1 | 5ed759b798d5121ec9c21fcefa1c205752138ade |
| SHA256 | cfdd7cccd30b3d5c98b4ecd177a04e0a270732f8b2af084006c93c412bf02bb5 |
| SHA512 | ee9d7ef7e7b6ca78c1408ba8b8143613e745d42764eaf133ae451af6bf78ee2bb0d2f7bbbfb8c337e21bc416288bf6567b19747e9cb133183c498360fdb7b686 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1997668.exe
| MD5 | edda054dc43ca5835c8c6a807e5cc2a6 |
| SHA1 | 5ed759b798d5121ec9c21fcefa1c205752138ade |
| SHA256 | cfdd7cccd30b3d5c98b4ecd177a04e0a270732f8b2af084006c93c412bf02bb5 |
| SHA512 | ee9d7ef7e7b6ca78c1408ba8b8143613e745d42764eaf133ae451af6bf78ee2bb0d2f7bbbfb8c337e21bc416288bf6567b19747e9cb133183c498360fdb7b686 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
| MD5 | a389641629f09dcc3481225050a4f97e |
| SHA1 | 8a362221255a497770d8e6e2eb6dd99dda4603c0 |
| SHA256 | af0666782654041ba087b6bd06d54cdf1a054fb8a9023bfd268a9300e3424dad |
| SHA512 | 747017ad690ad4fc24a374f1d988310c58657c0b17f23d0f57fe7706d467e4f255414b7fe281f96217f0cb17f59875fb2b132b63fbe2bf0bec03fe5f153ed623 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9349969.exe
| MD5 | a389641629f09dcc3481225050a4f97e |
| SHA1 | 8a362221255a497770d8e6e2eb6dd99dda4603c0 |
| SHA256 | af0666782654041ba087b6bd06d54cdf1a054fb8a9023bfd268a9300e3424dad |
| SHA512 | 747017ad690ad4fc24a374f1d988310c58657c0b17f23d0f57fe7706d467e4f255414b7fe281f96217f0cb17f59875fb2b132b63fbe2bf0bec03fe5f153ed623 |
memory/4472-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4472-22-0x00000000745A0000-0x0000000074D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe
| MD5 | 431d7f2a70721cb4fd5db6ecbbdd19ef |
| SHA1 | 588099712cd56e81fa755215c6c148b77949887e |
| SHA256 | 105f6a081b1ed60160317855f249951ee4f1b5a345fd4981f3e5f69d88acc9be |
| SHA512 | bbdeb5ae71a7e3ef5e64d8ed653eb7fee03c2dcfab2c654731ec8f1ba88fe491a055dfd566965b551b24dd91551ca0d9f31e5f8b69cf8a52767fcb627a1af5df |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2524794.exe
| MD5 | 431d7f2a70721cb4fd5db6ecbbdd19ef |
| SHA1 | 588099712cd56e81fa755215c6c148b77949887e |
| SHA256 | 105f6a081b1ed60160317855f249951ee4f1b5a345fd4981f3e5f69d88acc9be |
| SHA512 | bbdeb5ae71a7e3ef5e64d8ed653eb7fee03c2dcfab2c654731ec8f1ba88fe491a055dfd566965b551b24dd91551ca0d9f31e5f8b69cf8a52767fcb627a1af5df |
memory/2504-26-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/2504-27-0x00000000745A0000-0x0000000074D50000-memory.dmp
memory/2504-28-0x0000000005650000-0x0000000005C68000-memory.dmp
memory/2504-29-0x0000000005140000-0x000000000524A000-memory.dmp
memory/2504-31-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/2504-30-0x0000000005080000-0x0000000005092000-memory.dmp
memory/2504-32-0x00000000050E0000-0x000000000511C000-memory.dmp
memory/4472-33-0x00000000745A0000-0x0000000074D50000-memory.dmp
memory/4472-35-0x00000000745A0000-0x0000000074D50000-memory.dmp
memory/2504-36-0x00000000745A0000-0x0000000074D50000-memory.dmp
memory/2504-37-0x0000000004E20000-0x0000000004E30000-memory.dmp