Analysis Overview
SHA256
7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67
Threat Level: Known bad
The file 7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67 was found to be: Known bad.
Malicious Activity Summary
RedLine
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:33
Reported
2023-09-10 09:36
Platform
win10v2004-20230831-en
Max time kernel
137s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 496 set thread context of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe
"C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 496 -ip 496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 168
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.121.18.2.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
| MD5 | e5b7101ef5e87f4bdcd9969a70d4dfba |
| SHA1 | 65fda7e9fe6bea2743319bff23c1ed9cf307fcdd |
| SHA256 | e1f6dfaabc115bb11316590e38ec4d112851a848190c39d783b3975821a7792b |
| SHA512 | c14bc3ea5aeb98ff52903ddcbb1e546566321a2cdd507fa4a1d6fe3e10dee638c80ca486818470d851f90517ad5ac21268baffda16ee5f79b2edc120bdb60f86 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
| MD5 | e5b7101ef5e87f4bdcd9969a70d4dfba |
| SHA1 | 65fda7e9fe6bea2743319bff23c1ed9cf307fcdd |
| SHA256 | e1f6dfaabc115bb11316590e38ec4d112851a848190c39d783b3975821a7792b |
| SHA512 | c14bc3ea5aeb98ff52903ddcbb1e546566321a2cdd507fa4a1d6fe3e10dee638c80ca486818470d851f90517ad5ac21268baffda16ee5f79b2edc120bdb60f86 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
| MD5 | c7fcd765d717dd4572cd020a5855a1e7 |
| SHA1 | ef48e5087271e08238ca5777bad1517d7fac9abb |
| SHA256 | c0bc9d0feeba34d711db79d20019164fd92efebdf0ddd8e5af7f649d9981d776 |
| SHA512 | 7a54a40510e97f813a7522a7266754cdb0cbbe42f7d983c5933bb7cd94a02494172cec6be8d1f51e73d4e857917547d26a061118d6aa017a8e4d5d412323d31f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
| MD5 | c7fcd765d717dd4572cd020a5855a1e7 |
| SHA1 | ef48e5087271e08238ca5777bad1517d7fac9abb |
| SHA256 | c0bc9d0feeba34d711db79d20019164fd92efebdf0ddd8e5af7f649d9981d776 |
| SHA512 | 7a54a40510e97f813a7522a7266754cdb0cbbe42f7d983c5933bb7cd94a02494172cec6be8d1f51e73d4e857917547d26a061118d6aa017a8e4d5d412323d31f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
| MD5 | 052e3dc1f0c1cdf12f7dd4b80bfb6e2d |
| SHA1 | 57fa3d404e39146737443b2a295db7cd3e30ddb9 |
| SHA256 | 329f724caadae645ee3c70202626a562bd251cf5986b53e1195ff5a615d4011f |
| SHA512 | 620f0b23a01ae3c9295de2f4c0e89242c5e862e4f395bb73211c8803c419623ca35065be5bda420dca0aa3c62a2ff54d375a480be3cb0ef8105ffabbc9d5efc8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
| MD5 | 052e3dc1f0c1cdf12f7dd4b80bfb6e2d |
| SHA1 | 57fa3d404e39146737443b2a295db7cd3e30ddb9 |
| SHA256 | 329f724caadae645ee3c70202626a562bd251cf5986b53e1195ff5a615d4011f |
| SHA512 | 620f0b23a01ae3c9295de2f4c0e89242c5e862e4f395bb73211c8803c419623ca35065be5bda420dca0aa3c62a2ff54d375a480be3cb0ef8105ffabbc9d5efc8 |
memory/1532-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1532-22-0x00000000745F0000-0x0000000074DA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe
| MD5 | 14d3c7f32c71badb827292181829cf47 |
| SHA1 | ff5afc85181a150b7158cdfaaa8679b8e729c872 |
| SHA256 | 4e0cf6893405937ec20cdcec1efa7d59d8649ace8785f66867badf92fd3e3ba4 |
| SHA512 | 62d5080c018c24a8571c9dfba239c41f77c52eddac06d9355748e6cacbea6c4faa4c7ffa1452bb598cfbae137eff80a6f14088761273447d24f14d87ede9bf9c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe
| MD5 | 14d3c7f32c71badb827292181829cf47 |
| SHA1 | ff5afc85181a150b7158cdfaaa8679b8e729c872 |
| SHA256 | 4e0cf6893405937ec20cdcec1efa7d59d8649ace8785f66867badf92fd3e3ba4 |
| SHA512 | 62d5080c018c24a8571c9dfba239c41f77c52eddac06d9355748e6cacbea6c4faa4c7ffa1452bb598cfbae137eff80a6f14088761273447d24f14d87ede9bf9c |
memory/4104-26-0x00000000001F0000-0x0000000000220000-memory.dmp
memory/4104-27-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/4104-28-0x00000000051D0000-0x00000000057E8000-memory.dmp
memory/4104-29-0x0000000004CC0000-0x0000000004DCA000-memory.dmp
memory/4104-31-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/4104-30-0x0000000004B70000-0x0000000004B82000-memory.dmp
memory/4104-32-0x0000000004BF0000-0x0000000004C2C000-memory.dmp
memory/1532-33-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1532-35-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/4104-36-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/4104-37-0x0000000004BA0000-0x0000000004BB0000-memory.dmp