Analysis Overview
SHA256
ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93
Threat Level: Known bad
The file ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 02:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 02:55
Reported
2023-10-03 02:58
Platform
win10-20230915-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5092 set thread context of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe
"C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
| MD5 | 52ed0d4cad0ceb29afb1804c5f1489eb |
| SHA1 | 3fac180571a5f2e3c156e3066fad928f9f563d0d |
| SHA256 | fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3 |
| SHA512 | 4256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
| MD5 | 52ed0d4cad0ceb29afb1804c5f1489eb |
| SHA1 | 3fac180571a5f2e3c156e3066fad928f9f563d0d |
| SHA256 | fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3 |
| SHA512 | 4256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
| MD5 | 1e171451dc2a0da783ad0da1845272ca |
| SHA1 | d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814 |
| SHA256 | 1317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04 |
| SHA512 | 885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
| MD5 | 1e171451dc2a0da783ad0da1845272ca |
| SHA1 | d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814 |
| SHA256 | 1317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04 |
| SHA512 | 885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
| MD5 | 171adcd4b6203c84c60aa8906c989352 |
| SHA1 | 12760c7bb5a52bf5e26f7b690c29c5be391216d2 |
| SHA256 | c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094 |
| SHA512 | 801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
| MD5 | 171adcd4b6203c84c60aa8906c989352 |
| SHA1 | 12760c7bb5a52bf5e26f7b690c29c5be391216d2 |
| SHA256 | c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094 |
| SHA512 | 801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
| MD5 | 31e10401a29a6864917ba298a4dee9f7 |
| SHA1 | 1fc35715da630fee7092ed0a405a71a3de55ec5c |
| SHA256 | 5def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715 |
| SHA512 | f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
| MD5 | 31e10401a29a6864917ba298a4dee9f7 |
| SHA1 | 1fc35715da630fee7092ed0a405a71a3de55ec5c |
| SHA256 | 5def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715 |
| SHA512 | f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99 |
memory/760-28-0x00000000002E0000-0x00000000002EA000-memory.dmp
memory/760-29-0x00007FFEBC3C0000-0x00007FFEBCDAC000-memory.dmp
memory/760-31-0x00007FFEBC3C0000-0x00007FFEBCDAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
| MD5 | e6eb4b6e93d29cbd10519979de39cfe1 |
| SHA1 | f7bd8c746e9af1242c65915007de51628a3e228e |
| SHA256 | fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b |
| SHA512 | 30f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
| MD5 | e6eb4b6e93d29cbd10519979de39cfe1 |
| SHA1 | f7bd8c746e9af1242c65915007de51628a3e228e |
| SHA256 | fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b |
| SHA512 | 30f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10 |
memory/4276-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4276-38-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4276-39-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4276-41-0x0000000000400000-0x0000000000428000-memory.dmp