Analysis Overview
SHA256
dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb
Threat Level: Known bad
The file dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 11:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 11:44
Reported
2023-10-03 11:47
Platform
win10-20230915-en
Max time kernel
125s
Max time network
131s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4856 set thread context of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe
"C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 225.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
| MD5 | 3f9bf33de9dbc3b4ff325ed2ca484383 |
| SHA1 | 7d35c87fc1fc54778cd9d848ce4e7093b210eb25 |
| SHA256 | 151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214 |
| SHA512 | 612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
| MD5 | 3f9bf33de9dbc3b4ff325ed2ca484383 |
| SHA1 | 7d35c87fc1fc54778cd9d848ce4e7093b210eb25 |
| SHA256 | 151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214 |
| SHA512 | 612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
| MD5 | b8419002a71cb074d22c204494c444f0 |
| SHA1 | 218c717272b12775faf896a653f7c220a6cec37c |
| SHA256 | 75023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b |
| SHA512 | 675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
| MD5 | b8419002a71cb074d22c204494c444f0 |
| SHA1 | 218c717272b12775faf896a653f7c220a6cec37c |
| SHA256 | 75023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b |
| SHA512 | 675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
| MD5 | d26ea2df963e785b102079b28c352b59 |
| SHA1 | 4ae543c6a6370e1af8789671b9e269a2216a4d44 |
| SHA256 | 653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba |
| SHA512 | f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
| MD5 | d26ea2df963e785b102079b28c352b59 |
| SHA1 | 4ae543c6a6370e1af8789671b9e269a2216a4d44 |
| SHA256 | 653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba |
| SHA512 | f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
| MD5 | 35a0e47267276a8e8882396e4f192a37 |
| SHA1 | a6353f0584ca37d0f783e1a077b524ec54da2a2c |
| SHA256 | e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96 |
| SHA512 | e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
| MD5 | 35a0e47267276a8e8882396e4f192a37 |
| SHA1 | a6353f0584ca37d0f783e1a077b524ec54da2a2c |
| SHA256 | e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96 |
| SHA512 | e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03 |
memory/4264-28-0x0000000000470000-0x000000000047A000-memory.dmp
memory/4264-29-0x00007FFDD9510000-0x00007FFDD9EFC000-memory.dmp
memory/4264-31-0x00007FFDD9510000-0x00007FFDD9EFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
| MD5 | 4f0618a9c475f2cc448658d569feecf6 |
| SHA1 | 894882be7b89ef0fc6c80f1b6d2af88f70a633ab |
| SHA256 | b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382 |
| SHA512 | 0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
| MD5 | 4f0618a9c475f2cc448658d569feecf6 |
| SHA1 | 894882be7b89ef0fc6c80f1b6d2af88f70a633ab |
| SHA256 | b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382 |
| SHA512 | 0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1 |
memory/204-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/204-38-0x0000000000400000-0x0000000000428000-memory.dmp
memory/204-39-0x0000000000400000-0x0000000000428000-memory.dmp
memory/204-41-0x0000000000400000-0x0000000000428000-memory.dmp