Analysis

  • max time kernel
    119s
  • max time network
    128s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2023, 02:55

General

  • Target

    ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe

  • Size

    876KB

  • MD5

    80052015c76e4d6cad8f16c5e756bc19

  • SHA1

    4ad6a46018130e0c3c10272fdb81be2058e73d5e

  • SHA256

    ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93

  • SHA512

    371aea14e2104f3e0c324e200a83520b2158e8c93bbd10a70629d4fee9ac5f87b36fedb22d13ef005ff86beb719ec9773763d595f5990aa1a38fdbe01935d6ad

  • SSDEEP

    12288:GMrKy90mBdh7RS0XUxr7NONkaynGw67y/cFMsr4eEHinlZoCuMhtHd:syLdh7HS7NnGV7y/VeECnvoCrB

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe
    "C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:760
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:5092
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:2132
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:4236
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  6⤵
                    PID:4276
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 568
                      7⤵
                      • Program crash
                      PID:3148
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 588
                    6⤵
                    • Program crash
                    PID:4272

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe

                Filesize

                737KB

                MD5

                52ed0d4cad0ceb29afb1804c5f1489eb

                SHA1

                3fac180571a5f2e3c156e3066fad928f9f563d0d

                SHA256

                fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3

                SHA512

                4256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe

                Filesize

                737KB

                MD5

                52ed0d4cad0ceb29afb1804c5f1489eb

                SHA1

                3fac180571a5f2e3c156e3066fad928f9f563d0d

                SHA256

                fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3

                SHA512

                4256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe

                Filesize

                490KB

                MD5

                1e171451dc2a0da783ad0da1845272ca

                SHA1

                d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814

                SHA256

                1317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04

                SHA512

                885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe

                Filesize

                490KB

                MD5

                1e171451dc2a0da783ad0da1845272ca

                SHA1

                d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814

                SHA256

                1317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04

                SHA512

                885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe

                Filesize

                293KB

                MD5

                171adcd4b6203c84c60aa8906c989352

                SHA1

                12760c7bb5a52bf5e26f7b690c29c5be391216d2

                SHA256

                c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094

                SHA512

                801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe

                Filesize

                293KB

                MD5

                171adcd4b6203c84c60aa8906c989352

                SHA1

                12760c7bb5a52bf5e26f7b690c29c5be391216d2

                SHA256

                c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094

                SHA512

                801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe

                Filesize

                12KB

                MD5

                31e10401a29a6864917ba298a4dee9f7

                SHA1

                1fc35715da630fee7092ed0a405a71a3de55ec5c

                SHA256

                5def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715

                SHA512

                f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe

                Filesize

                12KB

                MD5

                31e10401a29a6864917ba298a4dee9f7

                SHA1

                1fc35715da630fee7092ed0a405a71a3de55ec5c

                SHA256

                5def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715

                SHA512

                f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe

                Filesize

                285KB

                MD5

                e6eb4b6e93d29cbd10519979de39cfe1

                SHA1

                f7bd8c746e9af1242c65915007de51628a3e228e

                SHA256

                fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b

                SHA512

                30f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe

                Filesize

                285KB

                MD5

                e6eb4b6e93d29cbd10519979de39cfe1

                SHA1

                f7bd8c746e9af1242c65915007de51628a3e228e

                SHA256

                fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b

                SHA512

                30f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10

              • memory/760-31-0x00007FFEBC3C0000-0x00007FFEBCDAC000-memory.dmp

                Filesize

                9.9MB

              • memory/760-29-0x00007FFEBC3C0000-0x00007FFEBCDAC000-memory.dmp

                Filesize

                9.9MB

              • memory/760-28-0x00000000002E0000-0x00000000002EA000-memory.dmp

                Filesize

                40KB

              • memory/4276-35-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/4276-38-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/4276-39-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/4276-41-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB