Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
134s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
22/09/2023, 10:47
Static task
static1
Behavioral task
behavioral1
Sample
a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe
Resource
win10-20230915-en
General
-
Target
a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe
-
Size
1.1MB
-
MD5
5a8c0eae3553c80b57a9914a48facc85
-
SHA1
3b1c50bbced02507c2723a5e132e7be562fb14bc
-
SHA256
a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8
-
SHA512
08ddba5fce4cef2c55e74983358c8f4a9d8f4f4f9c8dc32340066dde3fd84725339561be8340daae1d47b5cb42ae04baeb0d12ed26241337a4cfd5281522d9fd
-
SSDEEP
24576:wyn95toiT+xnvRpTcPCFXzotnbYcq1WJnKZAt2VuKyS5o2qz:3n97oZvRpg6FXzdcq15ZAt2AKR0
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001af81-32.dat healer behavioral1/files/0x000700000001af81-34.dat healer behavioral1/memory/312-35-0x0000000000040000-0x000000000004A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q6280298.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q6280298.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q6280298.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q6280298.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q6280298.exe -
Executes dropped EXE 6 IoCs
pid Process 4324 z5697309.exe 2320 z9116776.exe 4512 z2442791.exe 3664 z9022901.exe 312 q6280298.exe 2880 r2344212.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q6280298.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z9116776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z2442791.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z9022901.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5697309.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2880 set thread context of 3928 2880 r2344212.exe 78 -
Program crash 2 IoCs
pid pid_target Process procid_target 3132 2880 WerFault.exe 75 4132 3928 WerFault.exe 78 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 312 q6280298.exe 312 q6280298.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 312 q6280298.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3316 wrote to memory of 4324 3316 a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe 70 PID 3316 wrote to memory of 4324 3316 a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe 70 PID 3316 wrote to memory of 4324 3316 a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe 70 PID 4324 wrote to memory of 2320 4324 z5697309.exe 71 PID 4324 wrote to memory of 2320 4324 z5697309.exe 71 PID 4324 wrote to memory of 2320 4324 z5697309.exe 71 PID 2320 wrote to memory of 4512 2320 z9116776.exe 72 PID 2320 wrote to memory of 4512 2320 z9116776.exe 72 PID 2320 wrote to memory of 4512 2320 z9116776.exe 72 PID 4512 wrote to memory of 3664 4512 z2442791.exe 73 PID 4512 wrote to memory of 3664 4512 z2442791.exe 73 PID 4512 wrote to memory of 3664 4512 z2442791.exe 73 PID 3664 wrote to memory of 312 3664 z9022901.exe 74 PID 3664 wrote to memory of 312 3664 z9022901.exe 74 PID 3664 wrote to memory of 2880 3664 z9022901.exe 75 PID 3664 wrote to memory of 2880 3664 z9022901.exe 75 PID 3664 wrote to memory of 2880 3664 z9022901.exe 75 PID 2880 wrote to memory of 4308 2880 r2344212.exe 77 PID 2880 wrote to memory of 4308 2880 r2344212.exe 77 PID 2880 wrote to memory of 4308 2880 r2344212.exe 77 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78 PID 2880 wrote to memory of 3928 2880 r2344212.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe"C:\Users\Admin\AppData\Local\Temp\a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5697309.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5697309.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9116776.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9116776.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2442791.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2442791.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9022901.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9022901.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6280298.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6280298.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2344212.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2344212.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 5688⤵
- Program crash
PID:4132
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1607⤵
- Program crash
PID:3132
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5f616e08f5fcb82a823a9ec0560fe32a6
SHA1db0bbf512621e8b4d898900f73484793dbea09a3
SHA2561e0d930be55cf5775eb2a6fe9883fb3b0870872f74d27bf92e6b2198c556cc9f
SHA512033fa1256b75f5a869e4f064224d27fbd01b69eca6db59fada80d06c815808714f7597ea2e9b9daaf824d38b227c339ac0d117aa52015a78acf62f7fa126fc4d
-
Filesize
1.0MB
MD5f616e08f5fcb82a823a9ec0560fe32a6
SHA1db0bbf512621e8b4d898900f73484793dbea09a3
SHA2561e0d930be55cf5775eb2a6fe9883fb3b0870872f74d27bf92e6b2198c556cc9f
SHA512033fa1256b75f5a869e4f064224d27fbd01b69eca6db59fada80d06c815808714f7597ea2e9b9daaf824d38b227c339ac0d117aa52015a78acf62f7fa126fc4d
-
Filesize
873KB
MD584bf006267b85f9b2c1bdc2ddd2fd98d
SHA17910ae594d75d2e504db6e9130d9042653f66beb
SHA256a8cb7ec5c8f628378160a51432b3622be208c1478ca6eba003277521b58b2afb
SHA512e07227a39614ab20074eafea93c1625673a0483f9eecccc645cbb5c342f8844232ae85b1f8c8a79cd0c84614ba6ba6cb09a4dd951a9cdc787b5a39fa0ec07085
-
Filesize
873KB
MD584bf006267b85f9b2c1bdc2ddd2fd98d
SHA17910ae594d75d2e504db6e9130d9042653f66beb
SHA256a8cb7ec5c8f628378160a51432b3622be208c1478ca6eba003277521b58b2afb
SHA512e07227a39614ab20074eafea93c1625673a0483f9eecccc645cbb5c342f8844232ae85b1f8c8a79cd0c84614ba6ba6cb09a4dd951a9cdc787b5a39fa0ec07085
-
Filesize
690KB
MD551b8384ab5a3aeddb592186d50a81f5d
SHA19f5a12de0abf225f13bd01f549931ebf43e8a144
SHA2563e9f4414f42a9067310fa95bdd062408576820f44a638e341112bdd41939bee2
SHA512f254c79fbe5c944e5773eafdd385db017e8cdf1f212ab28bf621f148535bfd95d7d2dcbc654a8356e9d541d9c94fcdd3cda04fe148ea9d518abed953f4cde1f8
-
Filesize
690KB
MD551b8384ab5a3aeddb592186d50a81f5d
SHA19f5a12de0abf225f13bd01f549931ebf43e8a144
SHA2563e9f4414f42a9067310fa95bdd062408576820f44a638e341112bdd41939bee2
SHA512f254c79fbe5c944e5773eafdd385db017e8cdf1f212ab28bf621f148535bfd95d7d2dcbc654a8356e9d541d9c94fcdd3cda04fe148ea9d518abed953f4cde1f8
-
Filesize
387KB
MD5f776f15d766a47ef6a128a1a7792b932
SHA1c95813f6c0156c78e7c25e93d411c32012817693
SHA256002bb43f39d1d1ffe585bc7fb9fcf6eecaf99df42a5561c6e600d17c88b00b08
SHA512b714b99da0325736a6297a5693cbafbf8f6b2fd2fe07ca422601e5c5286b76b3a4b007d19b6b22d0f97c1f3366d55a2f4d7040679318911cf12a2ed76d5f847d
-
Filesize
387KB
MD5f776f15d766a47ef6a128a1a7792b932
SHA1c95813f6c0156c78e7c25e93d411c32012817693
SHA256002bb43f39d1d1ffe585bc7fb9fcf6eecaf99df42a5561c6e600d17c88b00b08
SHA512b714b99da0325736a6297a5693cbafbf8f6b2fd2fe07ca422601e5c5286b76b3a4b007d19b6b22d0f97c1f3366d55a2f4d7040679318911cf12a2ed76d5f847d
-
Filesize
11KB
MD5ea640d24b39ac16baf18e6ede52f0b04
SHA17eb7877e7f67d88921dfe90b0c8d01a798b15351
SHA2568307360f88263280eedc76e1b1b05dbb8e3ef2ab2bab34b8fd5288ad02e42d09
SHA5125668a57c324e2539d948737f058a7f84d36fe10e7c5f3ee3e9b081f7888f58ab589a287177876e8fa6480cae7d55de481d78fb5fe7bc7e6e79d114b679f28419
-
Filesize
11KB
MD5ea640d24b39ac16baf18e6ede52f0b04
SHA17eb7877e7f67d88921dfe90b0c8d01a798b15351
SHA2568307360f88263280eedc76e1b1b05dbb8e3ef2ab2bab34b8fd5288ad02e42d09
SHA5125668a57c324e2539d948737f058a7f84d36fe10e7c5f3ee3e9b081f7888f58ab589a287177876e8fa6480cae7d55de481d78fb5fe7bc7e6e79d114b679f28419
-
Filesize
700KB
MD5bd741e51cacfa812723b0c61027715ce
SHA1500099912fb3b1aea3cd88ff0a1acf9f161f0635
SHA256c29a7526c6a6c4adcb4e2c0b4b315c59275eb9209c4d5af74998681ed0fd0d9c
SHA512a0b8cc873aeb5f1f9fd4825f9b14129e1d54ab2e8b8c6ad0b85b0ac2ac83d2a6198649b2c8a9961adbdf04b1dcbcd22ac533920fe864164cd1ed46263d591086
-
Filesize
700KB
MD5bd741e51cacfa812723b0c61027715ce
SHA1500099912fb3b1aea3cd88ff0a1acf9f161f0635
SHA256c29a7526c6a6c4adcb4e2c0b4b315c59275eb9209c4d5af74998681ed0fd0d9c
SHA512a0b8cc873aeb5f1f9fd4825f9b14129e1d54ab2e8b8c6ad0b85b0ac2ac83d2a6198649b2c8a9961adbdf04b1dcbcd22ac533920fe864164cd1ed46263d591086