Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe
Resource
win10-20230915-en
General
-
Target
cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe
-
Size
876KB
-
MD5
ac97270a5470745eda751faf08d6b12f
-
SHA1
f2d090a0afbf159d39cd1bf29aab30e37fb3d8d5
-
SHA256
cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2
-
SHA512
f944bafea1e471fc78e3b6dc71d46f8f8282195734ce3382999455e0c01c461e0f12bc3cebb4d79431a04f477e34eb122ba39492fa409a9d501d1052ce9acce6
-
SSDEEP
24576:7ydDHOiHVqofGIp4JetcUuVv2v3W9kSSE2i:ulHOmqof52euPVv2vs3
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001b03e-26.dat healer behavioral1/files/0x000700000001b03e-27.dat healer behavioral1/memory/1456-28-0x00000000005D0000-0x00000000005DA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1CH40xi7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1CH40xi7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1CH40xi7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1CH40xi7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1CH40xi7.exe -
Executes dropped EXE 5 IoCs
pid Process 432 MG2Id04.exe 4200 KH8dw48.exe 4136 jF0Rs23.exe 1456 1CH40xi7.exe 4512 2pd9440.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1CH40xi7.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" MG2Id04.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" KH8dw48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" jF0Rs23.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4512 set thread context of 3264 4512 2pd9440.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 788 4512 WerFault.exe 74 1900 3264 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1456 1CH40xi7.exe 1456 1CH40xi7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1456 1CH40xi7.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3536 wrote to memory of 432 3536 cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe 70 PID 3536 wrote to memory of 432 3536 cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe 70 PID 3536 wrote to memory of 432 3536 cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe 70 PID 432 wrote to memory of 4200 432 MG2Id04.exe 71 PID 432 wrote to memory of 4200 432 MG2Id04.exe 71 PID 432 wrote to memory of 4200 432 MG2Id04.exe 71 PID 4200 wrote to memory of 4136 4200 KH8dw48.exe 72 PID 4200 wrote to memory of 4136 4200 KH8dw48.exe 72 PID 4200 wrote to memory of 4136 4200 KH8dw48.exe 72 PID 4136 wrote to memory of 1456 4136 jF0Rs23.exe 73 PID 4136 wrote to memory of 1456 4136 jF0Rs23.exe 73 PID 4136 wrote to memory of 4512 4136 jF0Rs23.exe 74 PID 4136 wrote to memory of 4512 4136 jF0Rs23.exe 74 PID 4136 wrote to memory of 4512 4136 jF0Rs23.exe 74 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76 PID 4512 wrote to memory of 3264 4512 2pd9440.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe"C:\Users\Admin\AppData\Local\Temp\cb86ac0718e455fc519269fc5b36823c514d89229e647581f36ec77646968ac2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MG2Id04.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MG2Id04.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KH8dw48.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KH8dw48.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF0Rs23.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF0Rs23.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1CH40xi7.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1CH40xi7.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pd9440.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pd9440.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 5687⤵
- Program crash
PID:1900
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1446⤵
- Program crash
PID:788
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD5a18a59472ef5a23065fa8e35db94f72b
SHA152c4b6e87e19d188a15033c1a62e65113fcb54ba
SHA256fea897af36c12dc9006ddb48be91ded966e317045f75a0955d8a54702203fd6c
SHA51283243060661600b03d2f8014b87c19887b44c1e84e78aa58cc49df01b909737f3551e5c22ef0a46c065072951a48b523dfd7f9a5228a97bb272161ccdeb1f7d6
-
Filesize
737KB
MD5a18a59472ef5a23065fa8e35db94f72b
SHA152c4b6e87e19d188a15033c1a62e65113fcb54ba
SHA256fea897af36c12dc9006ddb48be91ded966e317045f75a0955d8a54702203fd6c
SHA51283243060661600b03d2f8014b87c19887b44c1e84e78aa58cc49df01b909737f3551e5c22ef0a46c065072951a48b523dfd7f9a5228a97bb272161ccdeb1f7d6
-
Filesize
490KB
MD5cdd8c7e5d0c6b1f8d6afe949da97dba9
SHA116581a4d01cf789c05b4660ad9426b19af8336c6
SHA25652fd498eccd92a1f0b8e49850ced8936f9a79f3a8ba6f224eb2513574fbe2513
SHA512ad9edcf6778859e41d4aac71e185f05ea3edc60cbde8308d6fcf9efe9fd6472f3d787b86acaeaff7b92d60a5c610949a16c327bb0ae65c8de9d0e7edb80829d3
-
Filesize
490KB
MD5cdd8c7e5d0c6b1f8d6afe949da97dba9
SHA116581a4d01cf789c05b4660ad9426b19af8336c6
SHA25652fd498eccd92a1f0b8e49850ced8936f9a79f3a8ba6f224eb2513574fbe2513
SHA512ad9edcf6778859e41d4aac71e185f05ea3edc60cbde8308d6fcf9efe9fd6472f3d787b86acaeaff7b92d60a5c610949a16c327bb0ae65c8de9d0e7edb80829d3
-
Filesize
293KB
MD5b95309501a72f46e20e91936a1957334
SHA1c46572e1ab0e6e41a43d9437d6b697ee072eefbf
SHA2564d30f21d36108ef89d318033d3970eee5da37b0445d7ea9c2cdf55b8bb6f163c
SHA512f439335d3e5a64930d833ed0394187faf49090e97d43cba4944b9e00baa758060e83051317d8df83e0ba76999fd581d19b2757f65f8256cdc5f4eb82cc67721b
-
Filesize
293KB
MD5b95309501a72f46e20e91936a1957334
SHA1c46572e1ab0e6e41a43d9437d6b697ee072eefbf
SHA2564d30f21d36108ef89d318033d3970eee5da37b0445d7ea9c2cdf55b8bb6f163c
SHA512f439335d3e5a64930d833ed0394187faf49090e97d43cba4944b9e00baa758060e83051317d8df83e0ba76999fd581d19b2757f65f8256cdc5f4eb82cc67721b
-
Filesize
12KB
MD5cd76978a5992a7d6471f9952ef839ea9
SHA15fd4fe3e1e3099c535e983898a3e3714d85791d4
SHA256c6e1ae1381d5c211ac0b6f6f496064f0e0bcd7576ebf4889d50a5dd3be8e7ac3
SHA512adbb2b86a9a3c11f82c387be6572b504dc978112002e8c11c8aa0ad0807811a7dcaa9fc924ee7881754acc73495f6f327d486903bcf9e3eff73eb130d7536d71
-
Filesize
12KB
MD5cd76978a5992a7d6471f9952ef839ea9
SHA15fd4fe3e1e3099c535e983898a3e3714d85791d4
SHA256c6e1ae1381d5c211ac0b6f6f496064f0e0bcd7576ebf4889d50a5dd3be8e7ac3
SHA512adbb2b86a9a3c11f82c387be6572b504dc978112002e8c11c8aa0ad0807811a7dcaa9fc924ee7881754acc73495f6f327d486903bcf9e3eff73eb130d7536d71
-
Filesize
285KB
MD5310e97a368f24bef14fc8a3fd3e07220
SHA10dde0de270fe8d9a689ea903f5754b91bc79c2ed
SHA2561f2eabc0b19e80f63942b7161a54bcae6bbc1ecf44aa2ca5427188b92a122807
SHA51234263241f5c7c65144c99eaaa2643f3f236768dad699541c74051ac7eb2699d6f184b7e4e05cfeeffc0d8903e2f7a0cae59437832ad9dc06eff5f8b39ffe4ccf
-
Filesize
285KB
MD5310e97a368f24bef14fc8a3fd3e07220
SHA10dde0de270fe8d9a689ea903f5754b91bc79c2ed
SHA2561f2eabc0b19e80f63942b7161a54bcae6bbc1ecf44aa2ca5427188b92a122807
SHA51234263241f5c7c65144c99eaaa2643f3f236768dad699541c74051ac7eb2699d6f184b7e4e05cfeeffc0d8903e2f7a0cae59437832ad9dc06eff5f8b39ffe4ccf