Analysis Overview
SHA256
d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332
Threat Level: Known bad
The file d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 11:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 11:18
Reported
2023-10-03 11:20
Platform
win10-20230915-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1420 set thread context of 600 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe
"C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 225.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
| MD5 | 449a335987e102e2fd2e8b7696b3ae4d |
| SHA1 | eec71f904634c0ace885d776539ea8a21686258c |
| SHA256 | ab9471b5802658f8093fc0846dd7d1a1f37382ae324ad128296caf921eefc4a0 |
| SHA512 | 87ffced9996af916d40ded09a81f4bf0f971ae4039a443d732b7002f02ff18ffbe8b48a2e441be1df971eb9ad2c8e2becbccdad17327a006c4160c13d0ec2dbe |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
| MD5 | 449a335987e102e2fd2e8b7696b3ae4d |
| SHA1 | eec71f904634c0ace885d776539ea8a21686258c |
| SHA256 | ab9471b5802658f8093fc0846dd7d1a1f37382ae324ad128296caf921eefc4a0 |
| SHA512 | 87ffced9996af916d40ded09a81f4bf0f971ae4039a443d732b7002f02ff18ffbe8b48a2e441be1df971eb9ad2c8e2becbccdad17327a006c4160c13d0ec2dbe |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
| MD5 | 61e5ce1b3666d253136d70364ff287a0 |
| SHA1 | b37179bdccd9255c29dff74830fe8845bfa49f5f |
| SHA256 | 8d3c2a4429da9f4cb01ccf7e1b028d1b162877dc992f4f55715c777355b13549 |
| SHA512 | 793efbfdfbcc519f0453d0a17c62705f84d6b0d8bf646d3ba0c4be769cc0972f8046450ec724f2efb68587f6aad2f5a11e5cbd7c40ea99c6e051b9712a655d8f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
| MD5 | 61e5ce1b3666d253136d70364ff287a0 |
| SHA1 | b37179bdccd9255c29dff74830fe8845bfa49f5f |
| SHA256 | 8d3c2a4429da9f4cb01ccf7e1b028d1b162877dc992f4f55715c777355b13549 |
| SHA512 | 793efbfdfbcc519f0453d0a17c62705f84d6b0d8bf646d3ba0c4be769cc0972f8046450ec724f2efb68587f6aad2f5a11e5cbd7c40ea99c6e051b9712a655d8f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
| MD5 | 7c962d722ca137a161572106c5098c6c |
| SHA1 | 5276cfeead9bf4bc0ef540ac8faf602b8a47caa1 |
| SHA256 | 0b31683a3a7e024a810c71a4b9478212c9c8980969526a08a0fbffea820c0294 |
| SHA512 | 580d2920d58812d59f2bb2e4ae9809acf01db3e975b5a77ffe5a8d25870f65017bdd2eace11c2ab6a2da8ed5272d0378161295f622585c6474e3ca119cd08bd5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
| MD5 | 7c962d722ca137a161572106c5098c6c |
| SHA1 | 5276cfeead9bf4bc0ef540ac8faf602b8a47caa1 |
| SHA256 | 0b31683a3a7e024a810c71a4b9478212c9c8980969526a08a0fbffea820c0294 |
| SHA512 | 580d2920d58812d59f2bb2e4ae9809acf01db3e975b5a77ffe5a8d25870f65017bdd2eace11c2ab6a2da8ed5272d0378161295f622585c6474e3ca119cd08bd5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe
| MD5 | 385097ae848db5d88fc9b42cd72b4a49 |
| SHA1 | 033079fd36b4e11dabe80332aa58da41fb8000fd |
| SHA256 | e38a99b236000d777a07464fa0ef480eb1452ff17ceef0ee762faa7549ed81bc |
| SHA512 | 005fb77acd98fc4a8d2cb5289aa5b86f6e6710f85a963baa4e23a38c2840316f36fb32ed2e1bc87d9d208a99f452c7f817365535b543968e1df4629012f967e1 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe
| MD5 | 385097ae848db5d88fc9b42cd72b4a49 |
| SHA1 | 033079fd36b4e11dabe80332aa58da41fb8000fd |
| SHA256 | e38a99b236000d777a07464fa0ef480eb1452ff17ceef0ee762faa7549ed81bc |
| SHA512 | 005fb77acd98fc4a8d2cb5289aa5b86f6e6710f85a963baa4e23a38c2840316f36fb32ed2e1bc87d9d208a99f452c7f817365535b543968e1df4629012f967e1 |
memory/3008-28-0x0000000000330000-0x000000000033A000-memory.dmp
memory/3008-29-0x00007FFE570C0000-0x00007FFE57AAC000-memory.dmp
memory/3008-31-0x00007FFE570C0000-0x00007FFE57AAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
| MD5 | cfa62f3674dfd5107a6864ad4084d56c |
| SHA1 | 4202d779d0b8d6aff3f373aedd2a1e83b19d8cb8 |
| SHA256 | 0ef2edf4bda629a64709ca401dcc3ff02269b16c03552a387b5b6c4fef621325 |
| SHA512 | d8251c8aa9416cad54fa93d95493c7f05db14647361aace39edb9ce886ff40bcdb148a63e628c8d90f7dab617167f7bdf4794b5d0f83b40e2c5dcbf47b5bb687 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
| MD5 | cfa62f3674dfd5107a6864ad4084d56c |
| SHA1 | 4202d779d0b8d6aff3f373aedd2a1e83b19d8cb8 |
| SHA256 | 0ef2edf4bda629a64709ca401dcc3ff02269b16c03552a387b5b6c4fef621325 |
| SHA512 | d8251c8aa9416cad54fa93d95493c7f05db14647361aace39edb9ce886ff40bcdb148a63e628c8d90f7dab617167f7bdf4794b5d0f83b40e2c5dcbf47b5bb687 |
memory/600-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/600-39-0x0000000000400000-0x0000000000428000-memory.dmp
memory/600-38-0x0000000000400000-0x0000000000428000-memory.dmp
memory/600-41-0x0000000000400000-0x0000000000428000-memory.dmp