Analysis

  • max time kernel
    128s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2023, 03:07

General

  • Target

    69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe

  • Size

    877KB

  • MD5

    fb34229f5666aa16d8d02abcebe062ec

  • SHA1

    357091a6fff4b28caf78e4780a285773c48e8952

  • SHA256

    69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468

  • SHA512

    b408ec8e9aef6eaa89bff351cef57fc5845eaf3e7c78608f14de09ea4e0ea5c09df6a56404cc5eb4c840a52e553c9f6bec224e57f8d52c86ccf74dfc9617f42c

  • SSDEEP

    24576:My9+bMkN+cM/MeTVWIX0DSv9mDOa4Bhc5cE:7gNBXgVWCWSv9m54d

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe
    "C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4772
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:424
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:1700
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 568
                  7⤵
                  • Program crash
                  PID:1100
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 144
                6⤵
                • Program crash
                PID:4920

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe

            Filesize

            737KB

            MD5

            cbcf5a947412fb62c35d0a049e52fe6d

            SHA1

            6b994a5057c277ee21585865c324206029c4e094

            SHA256

            b3d89672d76b866a1b02564a46abbaadb3d4da3b4231a5290c5613a05965b283

            SHA512

            9711f0bcacca4823fe01293f4dbc8eef95035b858a1801ac84cb3bd7d050e9669a9312947ba2941b4b761d8983794696b87b84f9fa3c457b851c59b843b38805

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe

            Filesize

            737KB

            MD5

            cbcf5a947412fb62c35d0a049e52fe6d

            SHA1

            6b994a5057c277ee21585865c324206029c4e094

            SHA256

            b3d89672d76b866a1b02564a46abbaadb3d4da3b4231a5290c5613a05965b283

            SHA512

            9711f0bcacca4823fe01293f4dbc8eef95035b858a1801ac84cb3bd7d050e9669a9312947ba2941b4b761d8983794696b87b84f9fa3c457b851c59b843b38805

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe

            Filesize

            490KB

            MD5

            624a694a779aabcba2f67cdf73380fb2

            SHA1

            1dd5418500132310b43669a55a85870e01818446

            SHA256

            13f4f8bbc394b2ed5f814b23dbe59462e6c32a3f4f105c3cef01379999baf2af

            SHA512

            58a5ee1e184663f20402d9f3e3df4bcbfb0d70ba25414533b1477ec7213654360b5f93f4c73d81ea6eeedd80a04cfc8389227c18c48ec406db1a21dc78122921

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe

            Filesize

            490KB

            MD5

            624a694a779aabcba2f67cdf73380fb2

            SHA1

            1dd5418500132310b43669a55a85870e01818446

            SHA256

            13f4f8bbc394b2ed5f814b23dbe59462e6c32a3f4f105c3cef01379999baf2af

            SHA512

            58a5ee1e184663f20402d9f3e3df4bcbfb0d70ba25414533b1477ec7213654360b5f93f4c73d81ea6eeedd80a04cfc8389227c18c48ec406db1a21dc78122921

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe

            Filesize

            293KB

            MD5

            e4a7baef665a7149f4bc792748080240

            SHA1

            d075ac42be23b5907fbebbf042bb65efdbdcd919

            SHA256

            354b2754845d6a195c1c5ddb130039bd6bf52329b6cdffffd9f86b59ebf616dd

            SHA512

            4a456286e0d477e311b0704d5b0a68be487c02cf57b17e00cadac2e8b442e09a84f43b6141fddddd9106292603a515692cc22ad2e00c957d5806d9a5ea99ebe5

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe

            Filesize

            293KB

            MD5

            e4a7baef665a7149f4bc792748080240

            SHA1

            d075ac42be23b5907fbebbf042bb65efdbdcd919

            SHA256

            354b2754845d6a195c1c5ddb130039bd6bf52329b6cdffffd9f86b59ebf616dd

            SHA512

            4a456286e0d477e311b0704d5b0a68be487c02cf57b17e00cadac2e8b442e09a84f43b6141fddddd9106292603a515692cc22ad2e00c957d5806d9a5ea99ebe5

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe

            Filesize

            12KB

            MD5

            3f82e2a3ce72b5fe38f4c572a65cfd17

            SHA1

            4ad8ee72d22d3a675d4949d3a8d9cbfa11c4a1c5

            SHA256

            a5676d335c1738d96ec21afb4e9acd66cbded2bb7361d1b4e32190aad0102a9f

            SHA512

            7f77e63d6e3733912d1664431f6579572b6ab6ebaa039610be77df480815da064e674053f54f63fa8953765e6a1a065c2e8fa12a23ca96cf720d3e76109c3255

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe

            Filesize

            12KB

            MD5

            3f82e2a3ce72b5fe38f4c572a65cfd17

            SHA1

            4ad8ee72d22d3a675d4949d3a8d9cbfa11c4a1c5

            SHA256

            a5676d335c1738d96ec21afb4e9acd66cbded2bb7361d1b4e32190aad0102a9f

            SHA512

            7f77e63d6e3733912d1664431f6579572b6ab6ebaa039610be77df480815da064e674053f54f63fa8953765e6a1a065c2e8fa12a23ca96cf720d3e76109c3255

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe

            Filesize

            285KB

            MD5

            084df43ce4ce72edc3c48945cd9cd269

            SHA1

            68f2bbdf8320b3058f5977738ef3cbc4c2af884e

            SHA256

            72db416c89ad5152f533a8ed977de539c74dfdd5f323d0121d831f99d7baf737

            SHA512

            ad8fa04c3d46f32edbf655f4b4c02ce8bf498f268b470dbf94d8616973359643e0ef388d0f1ad1c10f705bc489897c473c298f48b125211140b367506dbe9eda

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe

            Filesize

            285KB

            MD5

            084df43ce4ce72edc3c48945cd9cd269

            SHA1

            68f2bbdf8320b3058f5977738ef3cbc4c2af884e

            SHA256

            72db416c89ad5152f533a8ed977de539c74dfdd5f323d0121d831f99d7baf737

            SHA512

            ad8fa04c3d46f32edbf655f4b4c02ce8bf498f268b470dbf94d8616973359643e0ef388d0f1ad1c10f705bc489897c473c298f48b125211140b367506dbe9eda

          • memory/1700-35-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/1700-38-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/1700-39-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/1700-41-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4772-31-0x00007FFBDD1A0000-0x00007FFBDDB8C000-memory.dmp

            Filesize

            9.9MB

          • memory/4772-29-0x00007FFBDD1A0000-0x00007FFBDDB8C000-memory.dmp

            Filesize

            9.9MB

          • memory/4772-28-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

            Filesize

            40KB