Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 02:34
Static task
static1
Behavioral task
behavioral1
Sample
ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe
Resource
win10-20230915-en
General
-
Target
ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe
-
Size
877KB
-
MD5
5f29ad2125f6e2868eda7233f6fdd03b
-
SHA1
70355b3a9113833992d42ebe2153f029237a693d
-
SHA256
ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9
-
SHA512
0a69b180290ec29839499f9549c4ba796cc77a6c6bc4d021dec986e686fb06925a8e4f4f8dc268e98c5019bd946b24fc00fd8edeb616a208483d0e9adfc1a396
-
SSDEEP
12288:1MrYy90nztyT6A1o4FhlEpdbCpBf1CdX+zqX5Jpjvk9l+VcCKD5BkdU44HChHEgJ:hycyP1LwKCXDpjvrE/kAih/rAJZ4P
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001b002-26.dat healer behavioral1/files/0x000700000001b002-27.dat healer behavioral1/memory/4100-28-0x00000000003B0000-0x00000000003BA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1Dh93jA1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1Dh93jA1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1Dh93jA1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1Dh93jA1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1Dh93jA1.exe -
Executes dropped EXE 5 IoCs
pid Process 1164 KR5rX80.exe 5112 rg5QB67.exe 4472 IX4GP13.exe 4100 1Dh93jA1.exe 2704 2YN3973.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1Dh93jA1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" KR5rX80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" rg5QB67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" IX4GP13.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2704 set thread context of 224 2704 2YN3973.exe 79 -
Program crash 2 IoCs
pid pid_target Process procid_target 4736 2704 WerFault.exe 74 3584 224 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4100 1Dh93jA1.exe 4100 1Dh93jA1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4100 1Dh93jA1.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1164 4768 ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe 64 PID 4768 wrote to memory of 1164 4768 ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe 64 PID 4768 wrote to memory of 1164 4768 ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe 64 PID 1164 wrote to memory of 5112 1164 KR5rX80.exe 71 PID 1164 wrote to memory of 5112 1164 KR5rX80.exe 71 PID 1164 wrote to memory of 5112 1164 KR5rX80.exe 71 PID 5112 wrote to memory of 4472 5112 rg5QB67.exe 72 PID 5112 wrote to memory of 4472 5112 rg5QB67.exe 72 PID 5112 wrote to memory of 4472 5112 rg5QB67.exe 72 PID 4472 wrote to memory of 4100 4472 IX4GP13.exe 73 PID 4472 wrote to memory of 4100 4472 IX4GP13.exe 73 PID 4472 wrote to memory of 2704 4472 IX4GP13.exe 74 PID 4472 wrote to memory of 2704 4472 IX4GP13.exe 74 PID 4472 wrote to memory of 2704 4472 IX4GP13.exe 74 PID 2704 wrote to memory of 228 2704 2YN3973.exe 76 PID 2704 wrote to memory of 228 2704 2YN3973.exe 76 PID 2704 wrote to memory of 228 2704 2YN3973.exe 76 PID 2704 wrote to memory of 1124 2704 2YN3973.exe 77 PID 2704 wrote to memory of 1124 2704 2YN3973.exe 77 PID 2704 wrote to memory of 1124 2704 2YN3973.exe 77 PID 2704 wrote to memory of 2720 2704 2YN3973.exe 78 PID 2704 wrote to memory of 2720 2704 2YN3973.exe 78 PID 2704 wrote to memory of 2720 2704 2YN3973.exe 78 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79 PID 2704 wrote to memory of 224 2704 2YN3973.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe"C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 5687⤵
- Program crash
PID:3584
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1406⤵
- Program crash
PID:4736
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD5b7aaf55af27d4a3c181ac18ee65a58bf
SHA17885d435cd40bb35c6b3ec4106d4025106ae5126
SHA2568097e1e428c44aef4fafabbe421b2c1970eb2eb680e1d25100528f18e1927332
SHA5127268b9b46ac0bd4b78c3e2ad11c01f46858d5272beeb8dcd01cbb434b3bed2c572931a7a56f40a3b0c7c2f83b805ecb561e30c285b9ac120d981875054f0652c
-
Filesize
737KB
MD5b7aaf55af27d4a3c181ac18ee65a58bf
SHA17885d435cd40bb35c6b3ec4106d4025106ae5126
SHA2568097e1e428c44aef4fafabbe421b2c1970eb2eb680e1d25100528f18e1927332
SHA5127268b9b46ac0bd4b78c3e2ad11c01f46858d5272beeb8dcd01cbb434b3bed2c572931a7a56f40a3b0c7c2f83b805ecb561e30c285b9ac120d981875054f0652c
-
Filesize
490KB
MD54d44a2ba3feda8c26d63ae09ccde75aa
SHA1a77dc164e9128e1e92047ed13eb984d59f4c723c
SHA256dc5bb17b44268b9ddb288e0bf0fd0d9f9a43f08067d8bd1ba4762ddf7fbed4d5
SHA5128289f4712737af707ea3d1e2baf94ce9496681eea2ed3f1de266d588b6ce06c5c8aba6e68e9d55091d4997e5cd2215a9aa8b87d44a0cf4d69fbc409618195326
-
Filesize
490KB
MD54d44a2ba3feda8c26d63ae09ccde75aa
SHA1a77dc164e9128e1e92047ed13eb984d59f4c723c
SHA256dc5bb17b44268b9ddb288e0bf0fd0d9f9a43f08067d8bd1ba4762ddf7fbed4d5
SHA5128289f4712737af707ea3d1e2baf94ce9496681eea2ed3f1de266d588b6ce06c5c8aba6e68e9d55091d4997e5cd2215a9aa8b87d44a0cf4d69fbc409618195326
-
Filesize
293KB
MD5e2b98d6f8c393cb6b0ee25d801a61d95
SHA1877c429c5225231a7ff7f4c3f3dabf8df8b4d5b4
SHA2569e1056499a931a07e17d4983723fe26c3c09191edd743ad9e3cec9777ce4492d
SHA512ecd6aad8a9032fe3aa7bf5d8a618b4522ac5d797650c0c636e268a5e5d31e76bda9540731c34df7666c1faf831c925252defe07923a9b6217848448c1cb255fa
-
Filesize
293KB
MD5e2b98d6f8c393cb6b0ee25d801a61d95
SHA1877c429c5225231a7ff7f4c3f3dabf8df8b4d5b4
SHA2569e1056499a931a07e17d4983723fe26c3c09191edd743ad9e3cec9777ce4492d
SHA512ecd6aad8a9032fe3aa7bf5d8a618b4522ac5d797650c0c636e268a5e5d31e76bda9540731c34df7666c1faf831c925252defe07923a9b6217848448c1cb255fa
-
Filesize
12KB
MD5d93eab621ecd3f27091fe302a5491945
SHA12240ceaa448d7bc1aae00641cb9998a189deb872
SHA2562442573c4b240c8ff33d508c571d6e82d32643893f64e078f419b49b18613ea7
SHA512f8a3cf1d092520029a6dae181042c4104fd3785354c91f832d9612fa436651abb5933f8e142941d999b41b8adac5bbfeccd837508f6abd1449e7172ca9152816
-
Filesize
12KB
MD5d93eab621ecd3f27091fe302a5491945
SHA12240ceaa448d7bc1aae00641cb9998a189deb872
SHA2562442573c4b240c8ff33d508c571d6e82d32643893f64e078f419b49b18613ea7
SHA512f8a3cf1d092520029a6dae181042c4104fd3785354c91f832d9612fa436651abb5933f8e142941d999b41b8adac5bbfeccd837508f6abd1449e7172ca9152816
-
Filesize
285KB
MD5192e97ba8aba31ccb719acf64cc6d0af
SHA168f86fe734182995edb61351ee44ee08f00d1f6a
SHA256523fac9407dd3be6a16d97d2d587bfc94e40c3f208daced37dc40cd8cc088ad2
SHA51201870f270dac29a3484a0a7b199da1decfe83a0c35a6a9c97ad38a8ec742839e375b153481bf4e0f07819e43c43e707aaa2edf2b70ea7a2a1138109d4327dbc1
-
Filesize
285KB
MD5192e97ba8aba31ccb719acf64cc6d0af
SHA168f86fe734182995edb61351ee44ee08f00d1f6a
SHA256523fac9407dd3be6a16d97d2d587bfc94e40c3f208daced37dc40cd8cc088ad2
SHA51201870f270dac29a3484a0a7b199da1decfe83a0c35a6a9c97ad38a8ec742839e375b153481bf4e0f07819e43c43e707aaa2edf2b70ea7a2a1138109d4327dbc1