Analysis Overview
SHA256
ceb82c4b0890b6b924cb12ec2bdbfd1da0f46ea12af5d292a7b87180c5a7102f
Threat Level: Known bad
The file ceb82c4b0890b6b924cb12ec2bdbfd1da0f46ea12af5d292a7b87180c5a7102f was found to be: Known bad.
Malicious Activity Summary
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Detects Healer an antivirus disabler dropper
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:53
Reported
2023-09-10 14:56
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5376855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6148244.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3505729.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ceb82c4b0890b6b924cb12ec2bdbfd1da0f46ea12af5d292a7b87180c5a7102f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5376855.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6148244.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4356 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ceb82c4b0890b6b924cb12ec2bdbfd1da0f46ea12af5d292a7b87180c5a7102f.exe
"C:\Users\Admin\AppData\Local\Temp\ceb82c4b0890b6b924cb12ec2bdbfd1da0f46ea12af5d292a7b87180c5a7102f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5376855.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5376855.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6148244.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6148244.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 136
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3505729.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3505729.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 126.154.27.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5376855.exe
| MD5 | 63d3eaf6b0dc1bc2f44a780ce2b5ff44 |
| SHA1 | d066c5bbdb051aa43f90a7ab8171ae10dc21891b |
| SHA256 | adbb9d859ea060cfbd33db30ac273353b768d01ac550213e162f40597f5bdc11 |
| SHA512 | 38d51a119d3d569060baac0af64d7d503084da8c1963c934153dc89014bcdf32975cf1d4d612e40e49fe62741b3b7c516e97d7ad322392d36d514c61acbeea96 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5376855.exe
| MD5 | 63d3eaf6b0dc1bc2f44a780ce2b5ff44 |
| SHA1 | d066c5bbdb051aa43f90a7ab8171ae10dc21891b |
| SHA256 | adbb9d859ea060cfbd33db30ac273353b768d01ac550213e162f40597f5bdc11 |
| SHA512 | 38d51a119d3d569060baac0af64d7d503084da8c1963c934153dc89014bcdf32975cf1d4d612e40e49fe62741b3b7c516e97d7ad322392d36d514c61acbeea96 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6148244.exe
| MD5 | d4a0848a26c42e344dd2a92adcb8a0dd |
| SHA1 | a20f4c0e63d4d135b9dec707eb973af971a03a0d |
| SHA256 | d98f3b7218c59ac82176a2f6f9e1d1cf01c56dfd2c49848adf736504203a8d04 |
| SHA512 | 5c9fa8784a83f825efbbba965b05fd0a36f12fca77bf7777dc444860fec632e2d2663da86b7911fbb64208515c5f5abdc355ede13eb3fa30b718984ffa130ee3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6148244.exe
| MD5 | d4a0848a26c42e344dd2a92adcb8a0dd |
| SHA1 | a20f4c0e63d4d135b9dec707eb973af971a03a0d |
| SHA256 | d98f3b7218c59ac82176a2f6f9e1d1cf01c56dfd2c49848adf736504203a8d04 |
| SHA512 | 5c9fa8784a83f825efbbba965b05fd0a36f12fca77bf7777dc444860fec632e2d2663da86b7911fbb64208515c5f5abdc355ede13eb3fa30b718984ffa130ee3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe
| MD5 | 1d1f86eea36c30dce371f778336cb853 |
| SHA1 | 57b2b137b18b2474906e2ec110b7dd2330815503 |
| SHA256 | db97c170eea6257a10b720d9fa84356e99791161c68f7b88810689573c7bb2ab |
| SHA512 | 28950f809d5557ad90c26c87923746fbfd70ba2ca7664fcfc5c6fdc0c20de0f4fe928ec54d49a3ea44c1ba8356c20807ee08578d9efc804ad96074a1057337cb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3279643.exe
| MD5 | 1d1f86eea36c30dce371f778336cb853 |
| SHA1 | 57b2b137b18b2474906e2ec110b7dd2330815503 |
| SHA256 | db97c170eea6257a10b720d9fa84356e99791161c68f7b88810689573c7bb2ab |
| SHA512 | 28950f809d5557ad90c26c87923746fbfd70ba2ca7664fcfc5c6fdc0c20de0f4fe928ec54d49a3ea44c1ba8356c20807ee08578d9efc804ad96074a1057337cb |
memory/2308-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2308-22-0x00000000741B0000-0x0000000074960000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3505729.exe
| MD5 | 4b1ae4c93cc015f4908c2295090e24bb |
| SHA1 | 775d742112adc54096b581055d74e9fde55ac356 |
| SHA256 | e557efc922abad0fb10b739732795562addccafc56ca14007f70d57935ac5cbf |
| SHA512 | 57f05c6d06da1e28b20bba11ef11143f739f7a816c18fb8a7251e41e9bdd67da3505bccc75c9ce2776d23dd0eec887ef3a101a0463b230f8815e941afa16fded |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3505729.exe
| MD5 | 4b1ae4c93cc015f4908c2295090e24bb |
| SHA1 | 775d742112adc54096b581055d74e9fde55ac356 |
| SHA256 | e557efc922abad0fb10b739732795562addccafc56ca14007f70d57935ac5cbf |
| SHA512 | 57f05c6d06da1e28b20bba11ef11143f739f7a816c18fb8a7251e41e9bdd67da3505bccc75c9ce2776d23dd0eec887ef3a101a0463b230f8815e941afa16fded |
memory/2688-26-0x0000000000CE0000-0x0000000000D10000-memory.dmp
memory/2688-27-0x00000000741B0000-0x0000000074960000-memory.dmp
memory/2688-28-0x0000000005CD0000-0x00000000062E8000-memory.dmp
memory/2688-29-0x00000000057C0000-0x00000000058CA000-memory.dmp
memory/2688-30-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/2688-31-0x0000000005660000-0x0000000005672000-memory.dmp
memory/2688-32-0x00000000056F0000-0x000000000572C000-memory.dmp
memory/2308-33-0x00000000741B0000-0x0000000074960000-memory.dmp
memory/2308-35-0x00000000741B0000-0x0000000074960000-memory.dmp
memory/2688-36-0x00000000741B0000-0x0000000074960000-memory.dmp
memory/2688-37-0x00000000056A0000-0x00000000056B0000-memory.dmp