Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    28/08/2023, 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    z5056178.exe

  • Size

    217KB

  • MD5

    82cb46a47f9a2e58d40f1b0edf47fb34

  • SHA1

    62eb05bbd24a580640350fd4fc5dc516ae1a882c

  • SHA256

    a879a9170e7cb065ffe6d99a6f79a39d21fa91937284100e453af790356789ad

  • SHA512

    0ced7a8d35635eb5d5e5ceb20306a96a5a00696078e1a6c44642dbe1d2a5859e02104d01323cf6dd4ef08bcff8cd9b79e5b9335a67a8f68949dce4ccc4501c08

  • SSDEEP

    3072:Kay+bnr+O1t5GWp1icKAArDZz4N9GhbkrNEk1TcfLO3KWvGHJo4/wKo1:Kay+bnr+ip0yN90QE+ULO3POHJdw9

Score
10/10
healerdropperevasionpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 4 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\z5056178.exe
    "C:\Users\Admin\AppData\Local\Temp\z5056178.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3049712.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3049712.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7768028.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7768028.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3049712.exe
    Filesize

    14KB

    MD5

    6e729cd67e73459385419449be70358e

    SHA1

    39e83cf6ff2a60deb8713df7f1e4705931bed89d

    SHA256

    5632bd1a4d9754ba2ff125424bfbc9f2924d5136d08d031e0718c186d9ab19ab

    SHA512

    e805ddb2740ae72e70a0e7cd2a41ac4b7135b6244e316f764520d411a55b14413fa170d9c15c2d78a5e3eabc5bba4188c553734965aa0759e5bad74301094757

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3049712.exe
    Filesize

    14KB

    MD5

    6e729cd67e73459385419449be70358e

    SHA1

    39e83cf6ff2a60deb8713df7f1e4705931bed89d

    SHA256

    5632bd1a4d9754ba2ff125424bfbc9f2924d5136d08d031e0718c186d9ab19ab

    SHA512

    e805ddb2740ae72e70a0e7cd2a41ac4b7135b6244e316f764520d411a55b14413fa170d9c15c2d78a5e3eabc5bba4188c553734965aa0759e5bad74301094757

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7768028.exe
    Filesize

    140KB

    MD5

    c1595ef884b29bfbe48639bcd81f472c

    SHA1

    3f800e547f18c808be73001c509a43ea3581cbae

    SHA256

    918559754fc14ef764fc4e72aaa1283169913154f302514758f31507c12d5d45

    SHA512

    e22d46a8546ceaf85d62dc66ef3e136f09e48f189ded966ef2b5b74c59e15cc62bf2c46c6464c4661aab714f553f26bfae179e31fec997020076aa86777113dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7768028.exe
    Filesize

    140KB

    MD5

    c1595ef884b29bfbe48639bcd81f472c

    SHA1

    3f800e547f18c808be73001c509a43ea3581cbae

    SHA256

    918559754fc14ef764fc4e72aaa1283169913154f302514758f31507c12d5d45

    SHA512

    e22d46a8546ceaf85d62dc66ef3e136f09e48f189ded966ef2b5b74c59e15cc62bf2c46c6464c4661aab714f553f26bfae179e31fec997020076aa86777113dc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\q3049712.exe
    Filesize

    14KB

    MD5

    6e729cd67e73459385419449be70358e

    SHA1

    39e83cf6ff2a60deb8713df7f1e4705931bed89d

    SHA256

    5632bd1a4d9754ba2ff125424bfbc9f2924d5136d08d031e0718c186d9ab19ab

    SHA512

    e805ddb2740ae72e70a0e7cd2a41ac4b7135b6244e316f764520d411a55b14413fa170d9c15c2d78a5e3eabc5bba4188c553734965aa0759e5bad74301094757

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\r7768028.exe
    Filesize

    140KB

    MD5

    c1595ef884b29bfbe48639bcd81f472c

    SHA1

    3f800e547f18c808be73001c509a43ea3581cbae

    SHA256

    918559754fc14ef764fc4e72aaa1283169913154f302514758f31507c12d5d45

    SHA512

    e22d46a8546ceaf85d62dc66ef3e136f09e48f189ded966ef2b5b74c59e15cc62bf2c46c6464c4661aab714f553f26bfae179e31fec997020076aa86777113dc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\r7768028.exe
    Filesize

    140KB

    MD5

    c1595ef884b29bfbe48639bcd81f472c

    SHA1

    3f800e547f18c808be73001c509a43ea3581cbae

    SHA256

    918559754fc14ef764fc4e72aaa1283169913154f302514758f31507c12d5d45

    SHA512

    e22d46a8546ceaf85d62dc66ef3e136f09e48f189ded966ef2b5b74c59e15cc62bf2c46c6464c4661aab714f553f26bfae179e31fec997020076aa86777113dc

    Download Submit

  • memory/3044-8-0x0000000000870000-0x000000000087A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3044-9-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3044-14-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

    Filesize

    9.9MB

    Download