Analysis Overview
SHA256
0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241
Threat Level: Known bad
The file 0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 10:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 10:04
Reported
2023-09-10 10:07
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1296 set thread context of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe
"C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 564
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
| MD5 | d987e0531e38a470713833a6c3beea1a |
| SHA1 | 5d119955b328c185e789184842c32e921c7bcc7b |
| SHA256 | ad106b63b4e195619b751a3c821c3f8cc58d4d363c1f405d38554d9d5e84179d |
| SHA512 | 94e20cf75a301dc27eb3119c193ac41b04b91a0550bf943ff04945aab0a04684e868c2dd56654f6855a8f87d642b5ac2e2fda3edf4fd97c04e0d33ff0ef370ff |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
| MD5 | d987e0531e38a470713833a6c3beea1a |
| SHA1 | 5d119955b328c185e789184842c32e921c7bcc7b |
| SHA256 | ad106b63b4e195619b751a3c821c3f8cc58d4d363c1f405d38554d9d5e84179d |
| SHA512 | 94e20cf75a301dc27eb3119c193ac41b04b91a0550bf943ff04945aab0a04684e868c2dd56654f6855a8f87d642b5ac2e2fda3edf4fd97c04e0d33ff0ef370ff |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
| MD5 | cee1dcc4ed8abff974697e51a33c24fe |
| SHA1 | dfe3aa0e18a675fc8565f49af7e7900596028ccc |
| SHA256 | 48de1dd8db30ff7db7c40e7eb64deaab988750be3508f9d0de2a2351c07c3af3 |
| SHA512 | 01bc423050e89b9336751e9f4be8ef910e5e452f7493b1309b58fea20396cd4dced39001ca388ae2140569c63a6ec5941ae82c7c652bef33e61b34da076c648d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
| MD5 | cee1dcc4ed8abff974697e51a33c24fe |
| SHA1 | dfe3aa0e18a675fc8565f49af7e7900596028ccc |
| SHA256 | 48de1dd8db30ff7db7c40e7eb64deaab988750be3508f9d0de2a2351c07c3af3 |
| SHA512 | 01bc423050e89b9336751e9f4be8ef910e5e452f7493b1309b58fea20396cd4dced39001ca388ae2140569c63a6ec5941ae82c7c652bef33e61b34da076c648d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
| MD5 | 6c5011cd8c67f60785ee26cb8cf93901 |
| SHA1 | 877ac7de7e199b217c373688e3b09bf5c47f1d01 |
| SHA256 | b574ba398c518977ae790e9c0bb7cbc7f9444fea0bf849f1a409218e4936034e |
| SHA512 | ae7f35b47bb9182d0cd4ddff175b72a1931a810c9963e249093408d78fbf598c93ab0734075868f8ecccdd058135d66ffaa9f4028484aea8a78a4243dc272aee |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
| MD5 | 6c5011cd8c67f60785ee26cb8cf93901 |
| SHA1 | 877ac7de7e199b217c373688e3b09bf5c47f1d01 |
| SHA256 | b574ba398c518977ae790e9c0bb7cbc7f9444fea0bf849f1a409218e4936034e |
| SHA512 | ae7f35b47bb9182d0cd4ddff175b72a1931a810c9963e249093408d78fbf598c93ab0734075868f8ecccdd058135d66ffaa9f4028484aea8a78a4243dc272aee |
memory/4200-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4200-22-0x00000000748B0000-0x0000000075060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe
| MD5 | c130d0b039fed3f2606e5a222e6ad67d |
| SHA1 | 08971b4c5b2ae83f0d8dad0515236b4d7a280220 |
| SHA256 | 451e63e619fd1cdc14311086de443842370fc3b01ff31eb55c08eb25cd5d23d2 |
| SHA512 | a513b79dcebf68ea7bc2ba42af8577f1e4f370e2e7e30237629671fd4c2310261fc5848908f6071efa959de82aeed3cd14e45d4da9b6c02a8b243510f418018a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe
| MD5 | c130d0b039fed3f2606e5a222e6ad67d |
| SHA1 | 08971b4c5b2ae83f0d8dad0515236b4d7a280220 |
| SHA256 | 451e63e619fd1cdc14311086de443842370fc3b01ff31eb55c08eb25cd5d23d2 |
| SHA512 | a513b79dcebf68ea7bc2ba42af8577f1e4f370e2e7e30237629671fd4c2310261fc5848908f6071efa959de82aeed3cd14e45d4da9b6c02a8b243510f418018a |
memory/1104-26-0x0000000000F30000-0x0000000000F60000-memory.dmp
memory/1104-27-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/1104-28-0x000000000B270000-0x000000000B888000-memory.dmp
memory/1104-29-0x000000000ADA0000-0x000000000AEAA000-memory.dmp
memory/1104-30-0x000000000ACE0000-0x000000000ACF2000-memory.dmp
memory/1104-31-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/1104-32-0x000000000AD40000-0x000000000AD7C000-memory.dmp
memory/4200-33-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/4200-35-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/1104-36-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/1104-37-0x00000000057C0000-0x00000000057D0000-memory.dmp