Analysis Overview
SHA256
0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8
Threat Level: Known bad
The file 0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:38
Reported
2023-09-10 14:41
Platform
win10v2004-20230831-en
Max time kernel
149s
Max time network
165s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3708 set thread context of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe
"C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3708 -ip 3708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 140
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
| MD5 | 91e4e48350f036e1334412d11e6285ef |
| SHA1 | f9730179bc8d5b8335158baf4e08c2ddee7ece0d |
| SHA256 | d7d8da125fdb7c5a7d1109d4362c84eeb4243c6168f9f9022677bcb0eb7fc4f1 |
| SHA512 | c3404c9541648a12aaa7636cdac9aede1f35d130c4906dcc015d9b96ce89e08b9a9985c4bf2dbe1136a024c0ea123d2febe9499a2b464bbb0c7273743e5cc0b3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
| MD5 | 91e4e48350f036e1334412d11e6285ef |
| SHA1 | f9730179bc8d5b8335158baf4e08c2ddee7ece0d |
| SHA256 | d7d8da125fdb7c5a7d1109d4362c84eeb4243c6168f9f9022677bcb0eb7fc4f1 |
| SHA512 | c3404c9541648a12aaa7636cdac9aede1f35d130c4906dcc015d9b96ce89e08b9a9985c4bf2dbe1136a024c0ea123d2febe9499a2b464bbb0c7273743e5cc0b3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
| MD5 | ac051a7a5a2408817258fef925cad636 |
| SHA1 | 5b914c5fad182f627005d31c6b6c9d58840014b1 |
| SHA256 | c5d8b2f483e27b4c50d706a268079197f7560699492af2fcea85ac6932147770 |
| SHA512 | 08c35a433c20f8f5943d577684d1329e57ef12230e74cface874561d856cebaabd3c11811d2415db3eba20b9afc3a233ac0edb303728258a26ff9af2435a385e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
| MD5 | ac051a7a5a2408817258fef925cad636 |
| SHA1 | 5b914c5fad182f627005d31c6b6c9d58840014b1 |
| SHA256 | c5d8b2f483e27b4c50d706a268079197f7560699492af2fcea85ac6932147770 |
| SHA512 | 08c35a433c20f8f5943d577684d1329e57ef12230e74cface874561d856cebaabd3c11811d2415db3eba20b9afc3a233ac0edb303728258a26ff9af2435a385e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
| MD5 | fa7780d4c0966d5b201bdd02de37c794 |
| SHA1 | d3397b5bffe22c059a23c6865acc9a14123e0ce1 |
| SHA256 | e25b3480d4fd85580779bc35f370801adc9249ceff39dce08b70ecaa1238d933 |
| SHA512 | 7d09c84109728ea9c29382f6acd861a05fd22a2a73ba756dc69566cb0cd82be3de319ac1303ec1de85f7dbe0eff80dd4690ca3b7e75b8949e9b98a672e8f90f1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
| MD5 | fa7780d4c0966d5b201bdd02de37c794 |
| SHA1 | d3397b5bffe22c059a23c6865acc9a14123e0ce1 |
| SHA256 | e25b3480d4fd85580779bc35f370801adc9249ceff39dce08b70ecaa1238d933 |
| SHA512 | 7d09c84109728ea9c29382f6acd861a05fd22a2a73ba756dc69566cb0cd82be3de319ac1303ec1de85f7dbe0eff80dd4690ca3b7e75b8949e9b98a672e8f90f1 |
memory/3764-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3764-22-0x0000000073A40000-0x00000000741F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe
| MD5 | e261b6acd9cc1e669a183fad0a537725 |
| SHA1 | e29048c4b6c0369df6b3a805f4453a59f0b8b505 |
| SHA256 | f75fffadd09751b92d3e04098fb50037a439d077358e9358bb2d7b4f8e1a85f1 |
| SHA512 | ad2350f2d67f6202a22599882c6e9247c4655339d315ef487ebf3bf6b396d4423cf9339563db58318c2db816441fba47c64198bae2dd251c5125344e4df08c3b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe
| MD5 | e261b6acd9cc1e669a183fad0a537725 |
| SHA1 | e29048c4b6c0369df6b3a805f4453a59f0b8b505 |
| SHA256 | f75fffadd09751b92d3e04098fb50037a439d077358e9358bb2d7b4f8e1a85f1 |
| SHA512 | ad2350f2d67f6202a22599882c6e9247c4655339d315ef487ebf3bf6b396d4423cf9339563db58318c2db816441fba47c64198bae2dd251c5125344e4df08c3b |
memory/1772-26-0x0000000000EE0000-0x0000000000F10000-memory.dmp
memory/1772-27-0x0000000073A40000-0x00000000741F0000-memory.dmp
memory/1772-28-0x0000000005FC0000-0x00000000065D8000-memory.dmp
memory/1772-29-0x0000000005AB0000-0x0000000005BBA000-memory.dmp
memory/1772-30-0x00000000059C0000-0x00000000059D2000-memory.dmp
memory/3764-31-0x0000000073A40000-0x00000000741F0000-memory.dmp
memory/1772-32-0x0000000003290000-0x00000000032A0000-memory.dmp
memory/1772-33-0x0000000005A20000-0x0000000005A5C000-memory.dmp
memory/1772-34-0x0000000073A40000-0x00000000741F0000-memory.dmp
memory/3764-36-0x0000000073A40000-0x00000000741F0000-memory.dmp
memory/1772-37-0x0000000003290000-0x00000000032A0000-memory.dmp