Analysis Overview
SHA256
bd4590019a8bc135962c18a5388c5e3c316f8a41a69eae1e1cc9c5c84e5155a1
Threat Level: Known bad
The file bd4590019a8bc135962c18a5388c5e3c316f8a41a69eae1e1cc9c5c84e5155a1 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:08
Reported
2023-09-10 15:11
Platform
win10v2004-20230831-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6339940.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1824249.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5273536.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bd4590019a8bc135962c18a5388c5e3c316f8a41a69eae1e1cc9c5c84e5155a1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6339940.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1824249.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3744 set thread context of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd4590019a8bc135962c18a5388c5e3c316f8a41a69eae1e1cc9c5c84e5155a1.exe
"C:\Users\Admin\AppData\Local\Temp\bd4590019a8bc135962c18a5388c5e3c316f8a41a69eae1e1cc9c5c84e5155a1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6339940.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6339940.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1824249.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1824249.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 568
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5273536.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5273536.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.7.248.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6339940.exe
| MD5 | 88bc3ec68588f974cb31cf00152dc3e4 |
| SHA1 | 067d42b7eeaaccf6b02889f7061bc7d7e76d1f0b |
| SHA256 | c159b2d6c5b07308a59537f9333b0cf099f236511bfb0470d10cbf43eb91b233 |
| SHA512 | 4fd6886ad74638faa2ed1b2e6fac812918bbd8ccb2e9561ef2fbf9422555c2e4d7ab5b2f14eaca7b5ab113060f91f493873002188b068def569a16ab99b88aac |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6339940.exe
| MD5 | 88bc3ec68588f974cb31cf00152dc3e4 |
| SHA1 | 067d42b7eeaaccf6b02889f7061bc7d7e76d1f0b |
| SHA256 | c159b2d6c5b07308a59537f9333b0cf099f236511bfb0470d10cbf43eb91b233 |
| SHA512 | 4fd6886ad74638faa2ed1b2e6fac812918bbd8ccb2e9561ef2fbf9422555c2e4d7ab5b2f14eaca7b5ab113060f91f493873002188b068def569a16ab99b88aac |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1824249.exe
| MD5 | 81ba8551506158ae3eb1aced9b4a7e32 |
| SHA1 | 59534adf6a0e490ac77e4797f41270004df3d4e2 |
| SHA256 | 93440169d531ad9946983e179bda61bd9b153485fd937df96777f370bd6a22cd |
| SHA512 | 2ff29056480fde2de2961f91295fef5bc7d29c89496c6f316ada5ebe34159041c7b9e14b5212bec7e7153952f93c748b71603a0acfb0262d792a280c5c8dd99a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1824249.exe
| MD5 | 81ba8551506158ae3eb1aced9b4a7e32 |
| SHA1 | 59534adf6a0e490ac77e4797f41270004df3d4e2 |
| SHA256 | 93440169d531ad9946983e179bda61bd9b153485fd937df96777f370bd6a22cd |
| SHA512 | 2ff29056480fde2de2961f91295fef5bc7d29c89496c6f316ada5ebe34159041c7b9e14b5212bec7e7153952f93c748b71603a0acfb0262d792a280c5c8dd99a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe
| MD5 | e4df0065784e44ae0707c2a41ca86a47 |
| SHA1 | c6e6c47fb4b2eb1fd0d0588a61d6eb5e3756b975 |
| SHA256 | 99fe7e716c7ad5a7d77f4e98ecde44e9db6d963eace9dcc48bc95e2bab6944b5 |
| SHA512 | ddd6059f54bdea3e4070ef704dea6cb5a8c3e8739c4b3c0063760b411a94741f8d0593b45e485882f4617cb5dcfd54911fd0fe485e668d449a418d230a6dbb28 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6859236.exe
| MD5 | e4df0065784e44ae0707c2a41ca86a47 |
| SHA1 | c6e6c47fb4b2eb1fd0d0588a61d6eb5e3756b975 |
| SHA256 | 99fe7e716c7ad5a7d77f4e98ecde44e9db6d963eace9dcc48bc95e2bab6944b5 |
| SHA512 | ddd6059f54bdea3e4070ef704dea6cb5a8c3e8739c4b3c0063760b411a94741f8d0593b45e485882f4617cb5dcfd54911fd0fe485e668d449a418d230a6dbb28 |
memory/1692-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1692-22-0x0000000074800000-0x0000000074FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5273536.exe
| MD5 | 6f8538d6a45e560575ae8be8d8641f90 |
| SHA1 | 14e38e59f093577b5c94fdb8e68f123c98fcccf6 |
| SHA256 | b5b0a5b8a27077826cab3220834b11166e7a7d9cbb1514b769673339118ce5c7 |
| SHA512 | 0119e350e42af7550703ab37ac8374c853f56ca8c848c355a29e5426a691c1b36fcb99fe81eb220c8ec247d5c88cc19d958aa7abe2c34dee8b52e8dae98bfba2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5273536.exe
| MD5 | 6f8538d6a45e560575ae8be8d8641f90 |
| SHA1 | 14e38e59f093577b5c94fdb8e68f123c98fcccf6 |
| SHA256 | b5b0a5b8a27077826cab3220834b11166e7a7d9cbb1514b769673339118ce5c7 |
| SHA512 | 0119e350e42af7550703ab37ac8374c853f56ca8c848c355a29e5426a691c1b36fcb99fe81eb220c8ec247d5c88cc19d958aa7abe2c34dee8b52e8dae98bfba2 |
memory/3280-26-0x0000000000C60000-0x0000000000C90000-memory.dmp
memory/3280-27-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/3280-28-0x0000000005C20000-0x0000000006238000-memory.dmp
memory/3280-29-0x0000000005710000-0x000000000581A000-memory.dmp
memory/3280-30-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/3280-31-0x0000000005600000-0x0000000005612000-memory.dmp
memory/3280-32-0x0000000005660000-0x000000000569C000-memory.dmp
memory/1692-33-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/3280-35-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/1692-36-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/3280-37-0x00000000054F0000-0x0000000005500000-memory.dmp