Analysis Overview
SHA256
bec1737d472d7513580d359b2d58450aefe5c76053fb1276652fa14d154b60d8
Threat Level: Known bad
The file bec1737d472d7513580d359b2d58450aefe5c76053fb1276652fa14d154b60d8N was found to be: Known bad.
Malicious Activity Summary
Healer family
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Checks computer location settings
Windows security modification
Adds Run key to start application
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:45
Reported
2024-11-10 01:47
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
97s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bec1737d472d7513580d359b2d58450aefe5c76053fb1276652fa14d154b60d8N.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bec1737d472d7513580d359b2d58450aefe5c76053fb1276652fa14d154b60d8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bec1737d472d7513580d359b2d58450aefe5c76053fb1276652fa14d154b60d8N.exe
"C:\Users\Admin\AppData\Local\Temp\bec1737d472d7513580d359b2d58450aefe5c76053fb1276652fa14d154b60d8N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1260
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\162981132.exe
| MD5 | df06baa45ef5d8916bb0a437c3b11ba0 |
| SHA1 | 237189277fd175c7a2ef6fe90f573b4f2901b9a2 |
| SHA256 | 202af656b51aa64772a466b4957547c347e51a8414bde70ced359f0b3f31e0ce |
| SHA512 | 4cdafcf0f4f5e00816788094cd342322b638597fdeb9d05f74346bdd49f7a2c3d74bd1a05e4c1d5a37177ed77068f4ebf8499f18d8aacfaece68b5be628a1712 |
memory/4400-7-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/4400-8-0x00000000025E0000-0x0000000002638000-memory.dmp
memory/4400-9-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4400-12-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4400-11-0x00000000026C0000-0x0000000002716000-memory.dmp
memory/4400-13-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4400-10-0x0000000004B00000-0x00000000050A4000-memory.dmp
memory/4400-21-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-35-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-33-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-31-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-29-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-27-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-25-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-23-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-19-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-17-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-15-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-14-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-55-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-57-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-61-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-59-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-75-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-73-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-71-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-69-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-67-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-65-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-63-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-53-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-51-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-49-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-47-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-45-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-43-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-77-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-41-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-39-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-37-0x00000000026C0000-0x0000000002711000-memory.dmp
memory/4400-2142-0x0000000002780000-0x000000000278A000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4400-2151-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4400-2158-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/5148-2157-0x00007FFE57803000-0x00007FFE57805000-memory.dmp
memory/5148-2156-0x00000000006F0000-0x00000000006FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\208375335.exe
| MD5 | d23dec4a566ebda98088dca3e0e04a4c |
| SHA1 | 7b553bd5549d5a168d8b77fa1c7c256867b2edd1 |
| SHA256 | 45d22e7fa762adc3c7ce456a1f08b63bd9c3f1161d2ae6a83fb7a8aadb03813b |
| SHA512 | 999cef0e28969c273f07dc35f7fdfe82958b9a580f92ce32e490c0f5dcb9bc056f9ff9d3eb0f157bd5b39663d3fa9664e69aa0c5312115c1c6dfc0d97c36a519 |
memory/1924-4291-0x0000000005740000-0x00000000057D2000-memory.dmp