Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 15:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    328KB

  • MD5

    2ce2b22c19530551c888b9e300ec7f18

  • SHA1

    fe0cbb415ce1c51b2219b910f8c96566bfcbfab2

  • SHA256

    ccb9086fc1709485302ec90d7f960e13db4844caef664fe940d4d6def976d1f3

  • SHA512

    be5a16f1f066a6590f711940e5758afc0f2354ba195adcefdf6e3dd07ea681a777146b5a9b3d59fdac651716c78754edd9cdf9fbb1974310b90b21d90408b2e1

  • SSDEEP

    6144:Kly+bnr+7p0yN90QE0Q5xeyziFHV7qyrxvjfTiwEZ3ZvzpheB:DMrPy90TeyzwHJqydrr83Nzp8

Score
10/10
healerdropperevasionpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 540
            4⤵
            • Program crash
            PID:220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856
      1⤵
        PID:3748

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe
              Filesize

              213KB

              MD5

              bce3c2ce66d4445f778c762bdd2daf05

              SHA1

              a75f1d0ce58dffc1fb514e803af06b824e08726e

              SHA256

              7da1c38aa827449ae85d420faac841f04c4fe9924f8ec22d1b6e825e5c1f08bb

              SHA512

              4363d0c898af0961c3a81a8168b17f302b359f06a9946911b2f2b262d80aba226cdc264e2edda8809bdaebb44e55c3d3d89058f58c617f13a61fb816f2432fa9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe
              Filesize

              213KB

              MD5

              bce3c2ce66d4445f778c762bdd2daf05

              SHA1

              a75f1d0ce58dffc1fb514e803af06b824e08726e

              SHA256

              7da1c38aa827449ae85d420faac841f04c4fe9924f8ec22d1b6e825e5c1f08bb

              SHA512

              4363d0c898af0961c3a81a8168b17f302b359f06a9946911b2f2b262d80aba226cdc264e2edda8809bdaebb44e55c3d3d89058f58c617f13a61fb816f2432fa9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe
              Filesize

              342KB

              MD5

              149a994fbf5e6e414ac9da01dc27e8a2

              SHA1

              3a3ac1218ba92ba9488d2489ee3c14f115045a4b

              SHA256

              022e8939826faae426c61668fa793c72712226cc194f693241821f14e703b3f6

              SHA512

              a804d9b727f560596533b6d680b17d4941247be7698b0a4b01a7b844b5bf30980c7810e891d4802b38474c5c619c023d1587701f8541ddd9af9372fd0b148d23

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe
              Filesize

              342KB

              MD5

              149a994fbf5e6e414ac9da01dc27e8a2

              SHA1

              3a3ac1218ba92ba9488d2489ee3c14f115045a4b

              SHA256

              022e8939826faae426c61668fa793c72712226cc194f693241821f14e703b3f6

              SHA512

              a804d9b727f560596533b6d680b17d4941247be7698b0a4b01a7b844b5bf30980c7810e891d4802b38474c5c619c023d1587701f8541ddd9af9372fd0b148d23

              Download Submit

            • memory/408-7-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/408-11-0x00000000744B0000-0x0000000074C60000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/408-17-0x00000000744B0000-0x0000000074C60000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/408-19-0x00000000744B0000-0x0000000074C60000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1856-12-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/1856-13-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/1856-14-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/1856-16-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download