Analysis Overview
SHA256
a9588fc4bafb7474e2728ff517dabb29f0c732c81f3e0e62038aee8f05a06944
Threat Level: Known bad
The file a9588fc4bafb7474e2728ff517dabb29f0c732c81f3e0e62038aee8f05a06944 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:54
Reported
2023-09-10 15:56
Platform
win10v2004-20230831-en
Max time kernel
137s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9864474.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6607290.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6249302.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a9588fc4bafb7474e2728ff517dabb29f0c732c81f3e0e62038aee8f05a06944.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9864474.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6607290.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1568 set thread context of 700 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9588fc4bafb7474e2728ff517dabb29f0c732c81f3e0e62038aee8f05a06944.exe
"C:\Users\Admin\AppData\Local\Temp\a9588fc4bafb7474e2728ff517dabb29f0c732c81f3e0e62038aee8f05a06944.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9864474.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9864474.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6607290.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6607290.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1568 -ip 1568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6249302.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6249302.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9864474.exe
| MD5 | 3df547477bc82d7460faf42306c38c76 |
| SHA1 | c3b1f84e80fe0f7f50b7245cddde93b1709a054d |
| SHA256 | b831b056d3aef5d0983bfdde1e03bc2dafe2ffcbfea7f8f8fb6e49e4a87b88ad |
| SHA512 | ee7a1a41de698d40deff8e44fa5d485355012885b79722ff144318e2a822b5d2874140dd07e07dedc9a5af3bab7da9520264fe2d1d9d775a58ea10da453ac05b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9864474.exe
| MD5 | 3df547477bc82d7460faf42306c38c76 |
| SHA1 | c3b1f84e80fe0f7f50b7245cddde93b1709a054d |
| SHA256 | b831b056d3aef5d0983bfdde1e03bc2dafe2ffcbfea7f8f8fb6e49e4a87b88ad |
| SHA512 | ee7a1a41de698d40deff8e44fa5d485355012885b79722ff144318e2a822b5d2874140dd07e07dedc9a5af3bab7da9520264fe2d1d9d775a58ea10da453ac05b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6607290.exe
| MD5 | 51be5c3f15c3fb7ba487f649fa89d3d7 |
| SHA1 | 94d82d3e5e58c1dc399fd57e7a92b56910f845d3 |
| SHA256 | f8f3d5983bad1bee373cda9d2dc9e890bd9444040942368f290b7ba9b3cfd586 |
| SHA512 | 5ada601651631a03edb2e3f34069e1a4bcd2149370d182a36b8901accba243643f816fe380b3fd767e84bf8519f79a046ee62229f5198b87c5669d9e0544bacb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6607290.exe
| MD5 | 51be5c3f15c3fb7ba487f649fa89d3d7 |
| SHA1 | 94d82d3e5e58c1dc399fd57e7a92b56910f845d3 |
| SHA256 | f8f3d5983bad1bee373cda9d2dc9e890bd9444040942368f290b7ba9b3cfd586 |
| SHA512 | 5ada601651631a03edb2e3f34069e1a4bcd2149370d182a36b8901accba243643f816fe380b3fd767e84bf8519f79a046ee62229f5198b87c5669d9e0544bacb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe
| MD5 | f7eeb1a801d2c9102c4e0f1ad3eb647e |
| SHA1 | 661a1722f7a8ad76e468e3e2c49ca772ac3fe3db |
| SHA256 | 16a01e437d325a072479cd6bb8698218c40c65807738ad36c668d25b38c33830 |
| SHA512 | 067e53cfa3a1736e8b0aa95178727acadd8ec51d4bb7104892d1503861b4884c6966133fa58f51d59be7d9f1823939bb2ecc8b9506e92c160360296b387e37a4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2068941.exe
| MD5 | f7eeb1a801d2c9102c4e0f1ad3eb647e |
| SHA1 | 661a1722f7a8ad76e468e3e2c49ca772ac3fe3db |
| SHA256 | 16a01e437d325a072479cd6bb8698218c40c65807738ad36c668d25b38c33830 |
| SHA512 | 067e53cfa3a1736e8b0aa95178727acadd8ec51d4bb7104892d1503861b4884c6966133fa58f51d59be7d9f1823939bb2ecc8b9506e92c160360296b387e37a4 |
memory/700-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/700-22-0x00000000741F0000-0x00000000749A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6249302.exe
| MD5 | 6fe994cd4180c2fee4086ef9a603bdff |
| SHA1 | 0be2ab8e6bc618922af5c2b5ffbb27478b0f558b |
| SHA256 | a183f708e69dbcd0fb6fd7a031bb6a76bcfd2d617cc98e7640bc428d5fc9c37d |
| SHA512 | 54c20e6998c05dfd9f76058c175dee4dc155cff9883b2703eb64126724c4a579c655cd468566f062ae95fc471a27258a465a4340e45fc712b7ca82dde7739aaa |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6249302.exe
| MD5 | 6fe994cd4180c2fee4086ef9a603bdff |
| SHA1 | 0be2ab8e6bc618922af5c2b5ffbb27478b0f558b |
| SHA256 | a183f708e69dbcd0fb6fd7a031bb6a76bcfd2d617cc98e7640bc428d5fc9c37d |
| SHA512 | 54c20e6998c05dfd9f76058c175dee4dc155cff9883b2703eb64126724c4a579c655cd468566f062ae95fc471a27258a465a4340e45fc712b7ca82dde7739aaa |
memory/4032-26-0x00000000005E0000-0x0000000000610000-memory.dmp
memory/4032-27-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/4032-28-0x00000000055F0000-0x0000000005C08000-memory.dmp
memory/4032-29-0x00000000050E0000-0x00000000051EA000-memory.dmp
memory/4032-31-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/4032-30-0x0000000004E60000-0x0000000004E72000-memory.dmp
memory/4032-32-0x0000000004FD0000-0x000000000500C000-memory.dmp
memory/700-33-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/700-35-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/4032-36-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/4032-37-0x0000000004EC0000-0x0000000004ED0000-memory.dmp