Analysis
-
max time kernel
108s -
max time network
114s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe
Resource
win10-20230915-en
General
-
Target
84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe
-
Size
1.0MB
-
MD5
5d926bf0d9f17c5fbb87243942c8b326
-
SHA1
2b0823fa3a93159be3aa0c8d817dd310b9b5d51a
-
SHA256
84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216
-
SHA512
2151683d99f9272b036a35cb2c0caa2bdc14019ff338ab1ee2db92464ce0d687be1aeb88892b974090dfd6c7e9965c263ec439d677bfe5d157103e5fe5c408b4
-
SSDEEP
24576:oy69+IJQx7lfll38PboWmJank9ndPxbX:v69+F7lQjoWmck9hx
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001affc-33.dat healer behavioral1/files/0x000700000001affc-34.dat healer behavioral1/memory/2480-35-0x00000000004B0000-0x00000000004BA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q3304731.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q3304731.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q3304731.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q3304731.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q3304731.exe -
Executes dropped EXE 6 IoCs
pid Process 3680 z6705299.exe 4412 z1942514.exe 208 z3887886.exe 4420 z6078848.exe 2480 q3304731.exe 304 r3104028.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q3304731.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z6705299.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z1942514.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z3887886.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z6078848.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 304 set thread context of 4528 304 r3104028.exe 77 -
Program crash 2 IoCs
pid pid_target Process procid_target 2496 304 WerFault.exe 76 3344 4528 WerFault.exe 77 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2480 q3304731.exe 2480 q3304731.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2480 q3304731.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1512 wrote to memory of 3680 1512 84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe 70 PID 1512 wrote to memory of 3680 1512 84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe 70 PID 1512 wrote to memory of 3680 1512 84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe 70 PID 3680 wrote to memory of 4412 3680 z6705299.exe 71 PID 3680 wrote to memory of 4412 3680 z6705299.exe 71 PID 3680 wrote to memory of 4412 3680 z6705299.exe 71 PID 4412 wrote to memory of 208 4412 z1942514.exe 72 PID 4412 wrote to memory of 208 4412 z1942514.exe 72 PID 4412 wrote to memory of 208 4412 z1942514.exe 72 PID 208 wrote to memory of 4420 208 z3887886.exe 73 PID 208 wrote to memory of 4420 208 z3887886.exe 73 PID 208 wrote to memory of 4420 208 z3887886.exe 73 PID 4420 wrote to memory of 2480 4420 z6078848.exe 74 PID 4420 wrote to memory of 2480 4420 z6078848.exe 74 PID 4420 wrote to memory of 304 4420 z6078848.exe 76 PID 4420 wrote to memory of 304 4420 z6078848.exe 76 PID 4420 wrote to memory of 304 4420 z6078848.exe 76 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77 PID 304 wrote to memory of 4528 304 r3104028.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe"C:\Users\Admin\AppData\Local\Temp\84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6705299.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6705299.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1942514.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1942514.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3887886.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3887886.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6078848.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6078848.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3304731.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3304731.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3104028.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3104028.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1888⤵
- Program crash
PID:3344
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 1447⤵
- Program crash
PID:2496
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD58263fefe1621d74c53929234927f9a08
SHA180978b00097960e5af4807a9b6bdbd97cc106e88
SHA2564a9d993706292a4e06ed6dde1770d5cf41c92eaaf333d043c5e63a1a29c2199d
SHA51207f5c03e54d3a37d2841a3c46c47e0fb306fc2703e3faf76f8bf49c867133938d87aba7bbbd10574d76b617a8a0c8e395e701cb2c4e4270ee469035e0801b97f
-
Filesize
904KB
MD58263fefe1621d74c53929234927f9a08
SHA180978b00097960e5af4807a9b6bdbd97cc106e88
SHA2564a9d993706292a4e06ed6dde1770d5cf41c92eaaf333d043c5e63a1a29c2199d
SHA51207f5c03e54d3a37d2841a3c46c47e0fb306fc2703e3faf76f8bf49c867133938d87aba7bbbd10574d76b617a8a0c8e395e701cb2c4e4270ee469035e0801b97f
-
Filesize
723KB
MD5ede3d6d4cc7c9f625f878f7f8ef9de10
SHA1b6cf3249e25e5180284f00318b73aee63d980d32
SHA256d8e54133a3a9ebccc271b14b92068c9cb072c95bc51c522125aa7584f1d51eed
SHA512f2fae03d247f0effa4979e9f5b4f9f785e99dcefd4130ee9c829573f7e0059b8921e78952304950f6634bfc5112cbbdc4b7af6b8dd3e17096dcb6f04849a1e3b
-
Filesize
723KB
MD5ede3d6d4cc7c9f625f878f7f8ef9de10
SHA1b6cf3249e25e5180284f00318b73aee63d980d32
SHA256d8e54133a3a9ebccc271b14b92068c9cb072c95bc51c522125aa7584f1d51eed
SHA512f2fae03d247f0effa4979e9f5b4f9f785e99dcefd4130ee9c829573f7e0059b8921e78952304950f6634bfc5112cbbdc4b7af6b8dd3e17096dcb6f04849a1e3b
-
Filesize
540KB
MD5679f5bd90650edf350de34fe1fd1a3f1
SHA1d95839d8ff4311a7fa5519ed4d5faf7c79aed178
SHA25602a26f1cae81a0db0cf026f6f0347067077c507f058b4cde76cc91493bed64b5
SHA512eec68ec06b7df178e8746c14d5461b855a2c9672923b2ce6288e28ccada90c030a23be77e816a3953e6e5f201ccb368ef57cdf34a5a80fa30076c6175f0639a5
-
Filesize
540KB
MD5679f5bd90650edf350de34fe1fd1a3f1
SHA1d95839d8ff4311a7fa5519ed4d5faf7c79aed178
SHA25602a26f1cae81a0db0cf026f6f0347067077c507f058b4cde76cc91493bed64b5
SHA512eec68ec06b7df178e8746c14d5461b855a2c9672923b2ce6288e28ccada90c030a23be77e816a3953e6e5f201ccb368ef57cdf34a5a80fa30076c6175f0639a5
-
Filesize
293KB
MD59b1be164a12eb284f60f3c39ef8bf34b
SHA115cb4f7f59bb63019bc89b75d86f8fc21fdfcb8c
SHA2568ab9f52716bb7673a5bc36a81aad2ad254361133e45c2e1e0ecdf4af1a44ffab
SHA51289d55c68144cca21d1ac9a03172854bf186a5ab84e1b2f34c7c4bab54e599d8cd510be2fcd3b6360739023bf74a2332c7c0896efa5470da325d98a0e819b4f27
-
Filesize
293KB
MD59b1be164a12eb284f60f3c39ef8bf34b
SHA115cb4f7f59bb63019bc89b75d86f8fc21fdfcb8c
SHA2568ab9f52716bb7673a5bc36a81aad2ad254361133e45c2e1e0ecdf4af1a44ffab
SHA51289d55c68144cca21d1ac9a03172854bf186a5ab84e1b2f34c7c4bab54e599d8cd510be2fcd3b6360739023bf74a2332c7c0896efa5470da325d98a0e819b4f27
-
Filesize
12KB
MD58bf4acae7a7670bdea02fd826e7eb30a
SHA1fa83e87c2d0efaf1ab4ab03c06b9bc065b950575
SHA2564d0ec15e03b4960fdac0348c906333ec45e36f6d1b8bcdedaa26ee8db8bb7810
SHA512bfeaab8cc9c9f05259158ed32fb998da78ec7ba367d52563274cb67a3afc87d32fbabba72addcb5328d8eb74b5e3bf5578cd05ba6045b256db32c2880c8a57bc
-
Filesize
12KB
MD58bf4acae7a7670bdea02fd826e7eb30a
SHA1fa83e87c2d0efaf1ab4ab03c06b9bc065b950575
SHA2564d0ec15e03b4960fdac0348c906333ec45e36f6d1b8bcdedaa26ee8db8bb7810
SHA512bfeaab8cc9c9f05259158ed32fb998da78ec7ba367d52563274cb67a3afc87d32fbabba72addcb5328d8eb74b5e3bf5578cd05ba6045b256db32c2880c8a57bc
-
Filesize
285KB
MD5310e97a368f24bef14fc8a3fd3e07220
SHA10dde0de270fe8d9a689ea903f5754b91bc79c2ed
SHA2561f2eabc0b19e80f63942b7161a54bcae6bbc1ecf44aa2ca5427188b92a122807
SHA51234263241f5c7c65144c99eaaa2643f3f236768dad699541c74051ac7eb2699d6f184b7e4e05cfeeffc0d8903e2f7a0cae59437832ad9dc06eff5f8b39ffe4ccf
-
Filesize
285KB
MD5310e97a368f24bef14fc8a3fd3e07220
SHA10dde0de270fe8d9a689ea903f5754b91bc79c2ed
SHA2561f2eabc0b19e80f63942b7161a54bcae6bbc1ecf44aa2ca5427188b92a122807
SHA51234263241f5c7c65144c99eaaa2643f3f236768dad699541c74051ac7eb2699d6f184b7e4e05cfeeffc0d8903e2f7a0cae59437832ad9dc06eff5f8b39ffe4ccf