Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe
Resource
win10-20230915-en
General
-
Target
ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe
-
Size
876KB
-
MD5
80052015c76e4d6cad8f16c5e756bc19
-
SHA1
4ad6a46018130e0c3c10272fdb81be2058e73d5e
-
SHA256
ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93
-
SHA512
371aea14e2104f3e0c324e200a83520b2158e8c93bbd10a70629d4fee9ac5f87b36fedb22d13ef005ff86beb719ec9773763d595f5990aa1a38fdbe01935d6ad
-
SSDEEP
12288:GMrKy90mBdh7RS0XUxr7NONkaynGw67y/cFMsr4eEHinlZoCuMhtHd:syLdh7HS7NnGV7y/VeECnvoCrB
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001aff8-26.dat healer behavioral1/files/0x000700000001aff8-27.dat healer behavioral1/memory/760-28-0x00000000002E0000-0x00000000002EA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1me35um6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1me35um6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1me35um6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1me35um6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1me35um6.exe -
Executes dropped EXE 5 IoCs
pid Process 2080 wp2Et77.exe 3080 Ue9GK99.exe 2668 eJ1Vg68.exe 760 1me35um6.exe 5092 2Ux5140.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1me35um6.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ue9GK99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" eJ1Vg68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" wp2Et77.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5092 set thread context of 4276 5092 2Ux5140.exe 78 -
Program crash 2 IoCs
pid pid_target Process procid_target 4272 5092 WerFault.exe 74 3148 4276 WerFault.exe 78 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 760 1me35um6.exe 760 1me35um6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 760 1me35um6.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4176 wrote to memory of 2080 4176 ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe 70 PID 4176 wrote to memory of 2080 4176 ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe 70 PID 4176 wrote to memory of 2080 4176 ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe 70 PID 2080 wrote to memory of 3080 2080 wp2Et77.exe 71 PID 2080 wrote to memory of 3080 2080 wp2Et77.exe 71 PID 2080 wrote to memory of 3080 2080 wp2Et77.exe 71 PID 3080 wrote to memory of 2668 3080 Ue9GK99.exe 72 PID 3080 wrote to memory of 2668 3080 Ue9GK99.exe 72 PID 3080 wrote to memory of 2668 3080 Ue9GK99.exe 72 PID 2668 wrote to memory of 760 2668 eJ1Vg68.exe 73 PID 2668 wrote to memory of 760 2668 eJ1Vg68.exe 73 PID 2668 wrote to memory of 5092 2668 eJ1Vg68.exe 74 PID 2668 wrote to memory of 5092 2668 eJ1Vg68.exe 74 PID 2668 wrote to memory of 5092 2668 eJ1Vg68.exe 74 PID 5092 wrote to memory of 2132 5092 2Ux5140.exe 76 PID 5092 wrote to memory of 2132 5092 2Ux5140.exe 76 PID 5092 wrote to memory of 2132 5092 2Ux5140.exe 76 PID 5092 wrote to memory of 4236 5092 2Ux5140.exe 77 PID 5092 wrote to memory of 4236 5092 2Ux5140.exe 77 PID 5092 wrote to memory of 4236 5092 2Ux5140.exe 77 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78 PID 5092 wrote to memory of 4276 5092 2Ux5140.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe"C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 5687⤵
- Program crash
PID:3148
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 5886⤵
- Program crash
PID:4272
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD552ed0d4cad0ceb29afb1804c5f1489eb
SHA13fac180571a5f2e3c156e3066fad928f9f563d0d
SHA256fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3
SHA5124256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5
-
Filesize
737KB
MD552ed0d4cad0ceb29afb1804c5f1489eb
SHA13fac180571a5f2e3c156e3066fad928f9f563d0d
SHA256fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3
SHA5124256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5
-
Filesize
490KB
MD51e171451dc2a0da783ad0da1845272ca
SHA1d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814
SHA2561317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04
SHA512885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649
-
Filesize
490KB
MD51e171451dc2a0da783ad0da1845272ca
SHA1d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814
SHA2561317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04
SHA512885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649
-
Filesize
293KB
MD5171adcd4b6203c84c60aa8906c989352
SHA112760c7bb5a52bf5e26f7b690c29c5be391216d2
SHA256c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094
SHA512801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789
-
Filesize
293KB
MD5171adcd4b6203c84c60aa8906c989352
SHA112760c7bb5a52bf5e26f7b690c29c5be391216d2
SHA256c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094
SHA512801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789
-
Filesize
12KB
MD531e10401a29a6864917ba298a4dee9f7
SHA11fc35715da630fee7092ed0a405a71a3de55ec5c
SHA2565def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715
SHA512f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99
-
Filesize
12KB
MD531e10401a29a6864917ba298a4dee9f7
SHA11fc35715da630fee7092ed0a405a71a3de55ec5c
SHA2565def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715
SHA512f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99
-
Filesize
285KB
MD5e6eb4b6e93d29cbd10519979de39cfe1
SHA1f7bd8c746e9af1242c65915007de51628a3e228e
SHA256fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b
SHA51230f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10
-
Filesize
285KB
MD5e6eb4b6e93d29cbd10519979de39cfe1
SHA1f7bd8c746e9af1242c65915007de51628a3e228e
SHA256fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b
SHA51230f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10