Analysis

  • max time kernel
    108s
  • max time network
    114s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2023, 02:47

General

  • Target

    84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe

  • Size

    1.0MB

  • MD5

    5d926bf0d9f17c5fbb87243942c8b326

  • SHA1

    2b0823fa3a93159be3aa0c8d817dd310b9b5d51a

  • SHA256

    84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216

  • SHA512

    2151683d99f9272b036a35cb2c0caa2bdc14019ff338ab1ee2db92464ce0d687be1aeb88892b974090dfd6c7e9965c263ec439d677bfe5d157103e5fe5c408b4

  • SSDEEP

    24576:oy69+IJQx7lfll38PboWmJank9ndPxbX:v69+F7lQjoWmck9hx

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe
    "C:\Users\Admin\AppData\Local\Temp\84c1bc638f1d0b9b5e8b0b943e6bc8e299a3904fd8d2d9567a3cf1e7eeddf216.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6705299.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6705299.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1942514.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1942514.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4412
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3887886.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3887886.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6078848.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6078848.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3304731.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3304731.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2480
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3104028.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3104028.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:304
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:4528
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 188
                    8⤵
                    • Program crash
                    PID:3344
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 144
                  7⤵
                  • Program crash
                  PID:2496

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6705299.exe

            Filesize

            904KB

            MD5

            8263fefe1621d74c53929234927f9a08

            SHA1

            80978b00097960e5af4807a9b6bdbd97cc106e88

            SHA256

            4a9d993706292a4e06ed6dde1770d5cf41c92eaaf333d043c5e63a1a29c2199d

            SHA512

            07f5c03e54d3a37d2841a3c46c47e0fb306fc2703e3faf76f8bf49c867133938d87aba7bbbd10574d76b617a8a0c8e395e701cb2c4e4270ee469035e0801b97f

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6705299.exe

            Filesize

            904KB

            MD5

            8263fefe1621d74c53929234927f9a08

            SHA1

            80978b00097960e5af4807a9b6bdbd97cc106e88

            SHA256

            4a9d993706292a4e06ed6dde1770d5cf41c92eaaf333d043c5e63a1a29c2199d

            SHA512

            07f5c03e54d3a37d2841a3c46c47e0fb306fc2703e3faf76f8bf49c867133938d87aba7bbbd10574d76b617a8a0c8e395e701cb2c4e4270ee469035e0801b97f

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1942514.exe

            Filesize

            723KB

            MD5

            ede3d6d4cc7c9f625f878f7f8ef9de10

            SHA1

            b6cf3249e25e5180284f00318b73aee63d980d32

            SHA256

            d8e54133a3a9ebccc271b14b92068c9cb072c95bc51c522125aa7584f1d51eed

            SHA512

            f2fae03d247f0effa4979e9f5b4f9f785e99dcefd4130ee9c829573f7e0059b8921e78952304950f6634bfc5112cbbdc4b7af6b8dd3e17096dcb6f04849a1e3b

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1942514.exe

            Filesize

            723KB

            MD5

            ede3d6d4cc7c9f625f878f7f8ef9de10

            SHA1

            b6cf3249e25e5180284f00318b73aee63d980d32

            SHA256

            d8e54133a3a9ebccc271b14b92068c9cb072c95bc51c522125aa7584f1d51eed

            SHA512

            f2fae03d247f0effa4979e9f5b4f9f785e99dcefd4130ee9c829573f7e0059b8921e78952304950f6634bfc5112cbbdc4b7af6b8dd3e17096dcb6f04849a1e3b

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3887886.exe

            Filesize

            540KB

            MD5

            679f5bd90650edf350de34fe1fd1a3f1

            SHA1

            d95839d8ff4311a7fa5519ed4d5faf7c79aed178

            SHA256

            02a26f1cae81a0db0cf026f6f0347067077c507f058b4cde76cc91493bed64b5

            SHA512

            eec68ec06b7df178e8746c14d5461b855a2c9672923b2ce6288e28ccada90c030a23be77e816a3953e6e5f201ccb368ef57cdf34a5a80fa30076c6175f0639a5

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3887886.exe

            Filesize

            540KB

            MD5

            679f5bd90650edf350de34fe1fd1a3f1

            SHA1

            d95839d8ff4311a7fa5519ed4d5faf7c79aed178

            SHA256

            02a26f1cae81a0db0cf026f6f0347067077c507f058b4cde76cc91493bed64b5

            SHA512

            eec68ec06b7df178e8746c14d5461b855a2c9672923b2ce6288e28ccada90c030a23be77e816a3953e6e5f201ccb368ef57cdf34a5a80fa30076c6175f0639a5

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6078848.exe

            Filesize

            293KB

            MD5

            9b1be164a12eb284f60f3c39ef8bf34b

            SHA1

            15cb4f7f59bb63019bc89b75d86f8fc21fdfcb8c

            SHA256

            8ab9f52716bb7673a5bc36a81aad2ad254361133e45c2e1e0ecdf4af1a44ffab

            SHA512

            89d55c68144cca21d1ac9a03172854bf186a5ab84e1b2f34c7c4bab54e599d8cd510be2fcd3b6360739023bf74a2332c7c0896efa5470da325d98a0e819b4f27

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6078848.exe

            Filesize

            293KB

            MD5

            9b1be164a12eb284f60f3c39ef8bf34b

            SHA1

            15cb4f7f59bb63019bc89b75d86f8fc21fdfcb8c

            SHA256

            8ab9f52716bb7673a5bc36a81aad2ad254361133e45c2e1e0ecdf4af1a44ffab

            SHA512

            89d55c68144cca21d1ac9a03172854bf186a5ab84e1b2f34c7c4bab54e599d8cd510be2fcd3b6360739023bf74a2332c7c0896efa5470da325d98a0e819b4f27

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3304731.exe

            Filesize

            12KB

            MD5

            8bf4acae7a7670bdea02fd826e7eb30a

            SHA1

            fa83e87c2d0efaf1ab4ab03c06b9bc065b950575

            SHA256

            4d0ec15e03b4960fdac0348c906333ec45e36f6d1b8bcdedaa26ee8db8bb7810

            SHA512

            bfeaab8cc9c9f05259158ed32fb998da78ec7ba367d52563274cb67a3afc87d32fbabba72addcb5328d8eb74b5e3bf5578cd05ba6045b256db32c2880c8a57bc

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3304731.exe

            Filesize

            12KB

            MD5

            8bf4acae7a7670bdea02fd826e7eb30a

            SHA1

            fa83e87c2d0efaf1ab4ab03c06b9bc065b950575

            SHA256

            4d0ec15e03b4960fdac0348c906333ec45e36f6d1b8bcdedaa26ee8db8bb7810

            SHA512

            bfeaab8cc9c9f05259158ed32fb998da78ec7ba367d52563274cb67a3afc87d32fbabba72addcb5328d8eb74b5e3bf5578cd05ba6045b256db32c2880c8a57bc

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3104028.exe

            Filesize

            285KB

            MD5

            310e97a368f24bef14fc8a3fd3e07220

            SHA1

            0dde0de270fe8d9a689ea903f5754b91bc79c2ed

            SHA256

            1f2eabc0b19e80f63942b7161a54bcae6bbc1ecf44aa2ca5427188b92a122807

            SHA512

            34263241f5c7c65144c99eaaa2643f3f236768dad699541c74051ac7eb2699d6f184b7e4e05cfeeffc0d8903e2f7a0cae59437832ad9dc06eff5f8b39ffe4ccf

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3104028.exe

            Filesize

            285KB

            MD5

            310e97a368f24bef14fc8a3fd3e07220

            SHA1

            0dde0de270fe8d9a689ea903f5754b91bc79c2ed

            SHA256

            1f2eabc0b19e80f63942b7161a54bcae6bbc1ecf44aa2ca5427188b92a122807

            SHA512

            34263241f5c7c65144c99eaaa2643f3f236768dad699541c74051ac7eb2699d6f184b7e4e05cfeeffc0d8903e2f7a0cae59437832ad9dc06eff5f8b39ffe4ccf

          • memory/2480-35-0x00000000004B0000-0x00000000004BA000-memory.dmp

            Filesize

            40KB

          • memory/2480-36-0x00007FFB432D0000-0x00007FFB43CBC000-memory.dmp

            Filesize

            9.9MB

          • memory/2480-38-0x00007FFB432D0000-0x00007FFB43CBC000-memory.dmp

            Filesize

            9.9MB

          • memory/4528-42-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4528-45-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4528-46-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4528-48-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB