Analysis Overview
SHA256
11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e
Threat Level: Known bad
The file 11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 16:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 16:08
Reported
2023-09-10 16:11
Platform
win10v2004-20230831-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4472 set thread context of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe
"C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4472 -ip 4472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 126.153.27.67.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
| MD5 | 569d430a97f191a6fdfa8355ed24d34c |
| SHA1 | db3287bfb048ebf73ad5aa28844610f2c7c80d86 |
| SHA256 | 6017f9d4733eafd2b4cc9b1aab0b3e7f6d6a9ac78e16de35525d56bfa4674153 |
| SHA512 | 4e93ba3705d00de911994baece24a11b04fede06cd67d449945dc7ce32970163cad992d99cf4fe5b4f5b16728ed7dee02bb0f49036067459381f0da5042caeb7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
| MD5 | 569d430a97f191a6fdfa8355ed24d34c |
| SHA1 | db3287bfb048ebf73ad5aa28844610f2c7c80d86 |
| SHA256 | 6017f9d4733eafd2b4cc9b1aab0b3e7f6d6a9ac78e16de35525d56bfa4674153 |
| SHA512 | 4e93ba3705d00de911994baece24a11b04fede06cd67d449945dc7ce32970163cad992d99cf4fe5b4f5b16728ed7dee02bb0f49036067459381f0da5042caeb7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
| MD5 | 97f7849d60070ce685c718595cd296d8 |
| SHA1 | 613c33eea34b00d1c37633804da7ad24e1ea23eb |
| SHA256 | 40e1c8db9e03752ca60b664152f73439953f71df101fd5f2b0227a02e9b5be6b |
| SHA512 | 5ca845d132c8fd0a72430d2137e5b29e1ea88878113246f296bb59b630e0a0b6701821b4d79795110720dcad16b28c1ab5461aedb06b2ce85c1e4d565d8d2b78 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
| MD5 | 97f7849d60070ce685c718595cd296d8 |
| SHA1 | 613c33eea34b00d1c37633804da7ad24e1ea23eb |
| SHA256 | 40e1c8db9e03752ca60b664152f73439953f71df101fd5f2b0227a02e9b5be6b |
| SHA512 | 5ca845d132c8fd0a72430d2137e5b29e1ea88878113246f296bb59b630e0a0b6701821b4d79795110720dcad16b28c1ab5461aedb06b2ce85c1e4d565d8d2b78 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
| MD5 | f7eeb1a801d2c9102c4e0f1ad3eb647e |
| SHA1 | 661a1722f7a8ad76e468e3e2c49ca772ac3fe3db |
| SHA256 | 16a01e437d325a072479cd6bb8698218c40c65807738ad36c668d25b38c33830 |
| SHA512 | 067e53cfa3a1736e8b0aa95178727acadd8ec51d4bb7104892d1503861b4884c6966133fa58f51d59be7d9f1823939bb2ecc8b9506e92c160360296b387e37a4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
| MD5 | f7eeb1a801d2c9102c4e0f1ad3eb647e |
| SHA1 | 661a1722f7a8ad76e468e3e2c49ca772ac3fe3db |
| SHA256 | 16a01e437d325a072479cd6bb8698218c40c65807738ad36c668d25b38c33830 |
| SHA512 | 067e53cfa3a1736e8b0aa95178727acadd8ec51d4bb7104892d1503861b4884c6966133fa58f51d59be7d9f1823939bb2ecc8b9506e92c160360296b387e37a4 |
memory/716-21-0x0000000000400000-0x000000000040A000-memory.dmp
memory/716-22-0x0000000074640000-0x0000000074DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe
| MD5 | d46a9616cbe54201715d0505707ff931 |
| SHA1 | 61da42b6bcaef085b456cb01f4035bcab6a889ab |
| SHA256 | 3050ea04e76f5ad1d123cb995869dfd7c86d8d85ac9b07d3e51e3f50c8d01a8c |
| SHA512 | 21e7b40f8e126e38c68215e7ee5a41cabb5b8ca5ca164a1bd0bc552636d248b331fc570f8362275aa6f4703938b04f2d6350e2752b536acd5f7975ef47c20655 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe
| MD5 | d46a9616cbe54201715d0505707ff931 |
| SHA1 | 61da42b6bcaef085b456cb01f4035bcab6a889ab |
| SHA256 | 3050ea04e76f5ad1d123cb995869dfd7c86d8d85ac9b07d3e51e3f50c8d01a8c |
| SHA512 | 21e7b40f8e126e38c68215e7ee5a41cabb5b8ca5ca164a1bd0bc552636d248b331fc570f8362275aa6f4703938b04f2d6350e2752b536acd5f7975ef47c20655 |
memory/3052-26-0x0000000000A90000-0x0000000000AC0000-memory.dmp
memory/3052-27-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/3052-28-0x000000000AED0000-0x000000000B4E8000-memory.dmp
memory/3052-29-0x000000000AA40000-0x000000000AB4A000-memory.dmp
memory/3052-30-0x00000000053E0000-0x00000000053F0000-memory.dmp
memory/3052-31-0x000000000A980000-0x000000000A992000-memory.dmp
memory/3052-32-0x000000000A9E0000-0x000000000AA1C000-memory.dmp
memory/716-33-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/716-35-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/3052-36-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/3052-37-0x00000000053E0000-0x00000000053F0000-memory.dmp