Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
04-09-2023 01:20
Static task
static1
Behavioral task
behavioral1
Sample
z6363369.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
z6363369.exe
Resource
win10-20230831-en
General
-
Target
z6363369.exe
-
Size
217KB
-
MD5
884c74eda7f42991a75d74315b27c27a
-
SHA1
b9c9627bc3d7bd9d4448042598a32629ccee46bc
-
SHA256
782f018f6a8e6dc1654feb37bf8c61c7d8603105cd80d3a04bf1133af6ceffc0
-
SHA512
a4ecff115d0c47d7e346c1a0441ab98e3e0e80b51e771ff0e51791757154958ac01f5414fda2b21b0a430b063f42f546345e3a99c305e1cb26ed8de6e2f72eef
-
SSDEEP
6144:KZy+bnr+vp0yN90QE91b8QS/7qt5rJHg:LMrvy9058xSm
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 4 IoCs
resource yara_rule behavioral1/files/0x000c0000000165f1-4.dat healer behavioral1/files/0x000c0000000165f1-6.dat healer behavioral1/files/0x000c0000000165f1-7.dat healer behavioral1/memory/2496-8-0x0000000000990000-0x000000000099A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q3503457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q3503457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q3503457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q3503457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q3503457.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q3503457.exe -
Executes dropped EXE 2 IoCs
pid Process 2496 q3503457.exe 2660 r9909941.exe -
Loads dropped DLL 3 IoCs
pid Process 1404 z6363369.exe 1404 z6363369.exe 2660 r9909941.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features q3503457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q3503457.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" z6363369.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2496 q3503457.exe 2496 q3503457.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2496 q3503457.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2496 1404 z6363369.exe 28 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29 PID 1404 wrote to memory of 2660 1404 z6363369.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\z6363369.exe"C:\Users\Admin\AppData\Local\Temp\z6363369.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3503457.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3503457.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9909941.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9909941.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD52d0b7b6c6582624ab6f37a8a0012a15b
SHA1ba6fb65835289d18b7c6955a08db13e9f4b7dee3
SHA2562ac61eb9a82b64376e9c58c081f6de7fa55a62b65b583bb90dd48dc1ec8049a6
SHA512d80073aca35a0b8454414ae3d3b961ee4c70bf4ae1ee028b35c197eef62e04f4af0a2bf0468f532c3ae0117de18f83ceabdd1e7fe830b19d419feb64eb284df0
-
Filesize
19KB
MD52d0b7b6c6582624ab6f37a8a0012a15b
SHA1ba6fb65835289d18b7c6955a08db13e9f4b7dee3
SHA2562ac61eb9a82b64376e9c58c081f6de7fa55a62b65b583bb90dd48dc1ec8049a6
SHA512d80073aca35a0b8454414ae3d3b961ee4c70bf4ae1ee028b35c197eef62e04f4af0a2bf0468f532c3ae0117de18f83ceabdd1e7fe830b19d419feb64eb284df0
-
Filesize
140KB
MD5872822018460a474982badc135a5c6e2
SHA17383886f7133851cfe54d94e43c5016d6a04de42
SHA2567af766f3c6293d8f47d786f1ae5aae6fbea97047c33e6190684d5a5279d9ddd6
SHA51269c14e4eddc052c093c84f59ac858dd59c560a92c6a89edb4c8bb5a0f464223123d36caa57e892a59507d099cdab52d7d19a054b511610129d927c334563ec18
-
Filesize
140KB
MD5872822018460a474982badc135a5c6e2
SHA17383886f7133851cfe54d94e43c5016d6a04de42
SHA2567af766f3c6293d8f47d786f1ae5aae6fbea97047c33e6190684d5a5279d9ddd6
SHA51269c14e4eddc052c093c84f59ac858dd59c560a92c6a89edb4c8bb5a0f464223123d36caa57e892a59507d099cdab52d7d19a054b511610129d927c334563ec18
-
Filesize
19KB
MD52d0b7b6c6582624ab6f37a8a0012a15b
SHA1ba6fb65835289d18b7c6955a08db13e9f4b7dee3
SHA2562ac61eb9a82b64376e9c58c081f6de7fa55a62b65b583bb90dd48dc1ec8049a6
SHA512d80073aca35a0b8454414ae3d3b961ee4c70bf4ae1ee028b35c197eef62e04f4af0a2bf0468f532c3ae0117de18f83ceabdd1e7fe830b19d419feb64eb284df0
-
Filesize
140KB
MD5872822018460a474982badc135a5c6e2
SHA17383886f7133851cfe54d94e43c5016d6a04de42
SHA2567af766f3c6293d8f47d786f1ae5aae6fbea97047c33e6190684d5a5279d9ddd6
SHA51269c14e4eddc052c093c84f59ac858dd59c560a92c6a89edb4c8bb5a0f464223123d36caa57e892a59507d099cdab52d7d19a054b511610129d927c334563ec18
-
Filesize
140KB
MD5872822018460a474982badc135a5c6e2
SHA17383886f7133851cfe54d94e43c5016d6a04de42
SHA2567af766f3c6293d8f47d786f1ae5aae6fbea97047c33e6190684d5a5279d9ddd6
SHA51269c14e4eddc052c093c84f59ac858dd59c560a92c6a89edb4c8bb5a0f464223123d36caa57e892a59507d099cdab52d7d19a054b511610129d927c334563ec18