Analysis Overview
SHA256
dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933
Threat Level: Known bad
The file dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 12:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 12:17
Reported
2023-10-03 12:20
Platform
win10-20230831-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2320 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe
"C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
| MD5 | 468473d6f1a2d1fbb8c07b307215108f |
| SHA1 | 520bb733551505f6020578a7584e74505f01cb49 |
| SHA256 | fff34c3f782bf2415ef118ce318ad4fc805c995b15eace0a7463341d5195ca58 |
| SHA512 | 175b868fe33fc9600b5ba939c2e83ade7cc6eba038f473ce57875428a965090581797b1ac3eeac1a98db77b5d948904d49318bf8c2aabf2ef1d4c0c930379473 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
| MD5 | 468473d6f1a2d1fbb8c07b307215108f |
| SHA1 | 520bb733551505f6020578a7584e74505f01cb49 |
| SHA256 | fff34c3f782bf2415ef118ce318ad4fc805c995b15eace0a7463341d5195ca58 |
| SHA512 | 175b868fe33fc9600b5ba939c2e83ade7cc6eba038f473ce57875428a965090581797b1ac3eeac1a98db77b5d948904d49318bf8c2aabf2ef1d4c0c930379473 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
| MD5 | 43163cc4a6a39df696c8d1c207c54ee5 |
| SHA1 | 49d58dcda045fd084f02bfb257ef26671e0c049a |
| SHA256 | baaea239b204bbbc3ad578082ec43226bb577f85f924bf3a68c1d6d452ff1e7f |
| SHA512 | 9c8d1318d7342a5303e70458cf131dc02740ba415759420f4516dca7b2906518cf4555d4d87ff278fb5e54d6ed2404ed29f81ced8e3b3da7535c16260d13762b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
| MD5 | 43163cc4a6a39df696c8d1c207c54ee5 |
| SHA1 | 49d58dcda045fd084f02bfb257ef26671e0c049a |
| SHA256 | baaea239b204bbbc3ad578082ec43226bb577f85f924bf3a68c1d6d452ff1e7f |
| SHA512 | 9c8d1318d7342a5303e70458cf131dc02740ba415759420f4516dca7b2906518cf4555d4d87ff278fb5e54d6ed2404ed29f81ced8e3b3da7535c16260d13762b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
| MD5 | 64bca51ecff153f709b0cc24dd7c4b93 |
| SHA1 | 2aa7c15f7026208977f7fb29eedc0d5545a0ff5c |
| SHA256 | 19ea671822598b6a024be776a8478072818957e2ce7a3b5d3de15b4096b5d30f |
| SHA512 | 4c12360966db4e8ecf51461df2d21022e51875f558e64944bbe64d0cdca5722a0e25fa36d02ea8b6fecdb9f60d99197eff98bcfb8bf05b85dff2389c6eb6c3a9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
| MD5 | 64bca51ecff153f709b0cc24dd7c4b93 |
| SHA1 | 2aa7c15f7026208977f7fb29eedc0d5545a0ff5c |
| SHA256 | 19ea671822598b6a024be776a8478072818957e2ce7a3b5d3de15b4096b5d30f |
| SHA512 | 4c12360966db4e8ecf51461df2d21022e51875f558e64944bbe64d0cdca5722a0e25fa36d02ea8b6fecdb9f60d99197eff98bcfb8bf05b85dff2389c6eb6c3a9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe
| MD5 | e2c620e42d157ad9c02ec84dbae97201 |
| SHA1 | e30c848655af00953fdb31a4eafc3cfdcaaea064 |
| SHA256 | 056b2870ff956c76d100ccf4a6d7ea1c9b7aed9ca7e993ec52b6e8f1f6eb03b7 |
| SHA512 | dd3be5c7320ec692f111b91622908a3cea601baf036684fe3251cddb9f9f7ed2977d6baef781beb4ff2570671ca1ce8b0031bc5a2f95a52858bdf19cc0383521 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe
| MD5 | e2c620e42d157ad9c02ec84dbae97201 |
| SHA1 | e30c848655af00953fdb31a4eafc3cfdcaaea064 |
| SHA256 | 056b2870ff956c76d100ccf4a6d7ea1c9b7aed9ca7e993ec52b6e8f1f6eb03b7 |
| SHA512 | dd3be5c7320ec692f111b91622908a3cea601baf036684fe3251cddb9f9f7ed2977d6baef781beb4ff2570671ca1ce8b0031bc5a2f95a52858bdf19cc0383521 |
memory/372-28-0x0000000000010000-0x000000000001A000-memory.dmp
memory/372-29-0x00007FF9DB3D0000-0x00007FF9DBDBC000-memory.dmp
memory/372-31-0x00007FF9DB3D0000-0x00007FF9DBDBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
| MD5 | dc3ed8d7ff3799e6d004415d44ab9355 |
| SHA1 | 650eed74c34700f96cdd1181023809c4020e9687 |
| SHA256 | d076ba245e680b4423222ebbbc65424c6f0119f5b428e89cd61030282683c276 |
| SHA512 | 0dcefad4327b6eb04bba4e1ac6b29d4244463b7c1a1e104ef9f1a5f77e8ed18354787912c970e6dc02b7bdec3d9f7584bff5609066906312c2a540921032666e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
| MD5 | dc3ed8d7ff3799e6d004415d44ab9355 |
| SHA1 | 650eed74c34700f96cdd1181023809c4020e9687 |
| SHA256 | d076ba245e680b4423222ebbbc65424c6f0119f5b428e89cd61030282683c276 |
| SHA512 | 0dcefad4327b6eb04bba4e1ac6b29d4244463b7c1a1e104ef9f1a5f77e8ed18354787912c970e6dc02b7bdec3d9f7584bff5609066906312c2a540921032666e |
memory/4212-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4212-38-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4212-39-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4212-41-0x0000000000400000-0x0000000000428000-memory.dmp