Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 03:07
Static task
static1
Behavioral task
behavioral1
Sample
69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe
Resource
win10-20230915-en
General
-
Target
69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe
-
Size
877KB
-
MD5
fb34229f5666aa16d8d02abcebe062ec
-
SHA1
357091a6fff4b28caf78e4780a285773c48e8952
-
SHA256
69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468
-
SHA512
b408ec8e9aef6eaa89bff351cef57fc5845eaf3e7c78608f14de09ea4e0ea5c09df6a56404cc5eb4c840a52e553c9f6bec224e57f8d52c86ccf74dfc9617f42c
-
SSDEEP
24576:My9+bMkN+cM/MeTVWIX0DSv9mDOa4Bhc5cE:7gNBXgVWCWSv9m54d
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afcb-26.dat healer behavioral1/files/0x000700000001afcb-27.dat healer behavioral1/memory/4772-28-0x0000000000EC0000-0x0000000000ECA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1AO38Iz2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1AO38Iz2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1AO38Iz2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1AO38Iz2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1AO38Iz2.exe -
Executes dropped EXE 5 IoCs
pid Process 2856 iY8kb09.exe 1292 bb2zR83.exe 5100 Sr3NZ90.exe 4772 1AO38Iz2.exe 424 2Di1592.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1AO38Iz2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" iY8kb09.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" bb2zR83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Sr3NZ90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 424 set thread context of 1700 424 2Di1592.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 4920 424 WerFault.exe 74 1100 1700 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4772 1AO38Iz2.exe 4772 1AO38Iz2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4772 1AO38Iz2.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3800 wrote to memory of 2856 3800 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe 70 PID 3800 wrote to memory of 2856 3800 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe 70 PID 3800 wrote to memory of 2856 3800 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe 70 PID 2856 wrote to memory of 1292 2856 iY8kb09.exe 71 PID 2856 wrote to memory of 1292 2856 iY8kb09.exe 71 PID 2856 wrote to memory of 1292 2856 iY8kb09.exe 71 PID 1292 wrote to memory of 5100 1292 bb2zR83.exe 72 PID 1292 wrote to memory of 5100 1292 bb2zR83.exe 72 PID 1292 wrote to memory of 5100 1292 bb2zR83.exe 72 PID 5100 wrote to memory of 4772 5100 Sr3NZ90.exe 73 PID 5100 wrote to memory of 4772 5100 Sr3NZ90.exe 73 PID 5100 wrote to memory of 424 5100 Sr3NZ90.exe 74 PID 5100 wrote to memory of 424 5100 Sr3NZ90.exe 74 PID 5100 wrote to memory of 424 5100 Sr3NZ90.exe 74 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76 PID 424 wrote to memory of 1700 424 2Di1592.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe"C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 5687⤵
- Program crash
PID:1100
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1446⤵
- Program crash
PID:4920
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD5cbcf5a947412fb62c35d0a049e52fe6d
SHA16b994a5057c277ee21585865c324206029c4e094
SHA256b3d89672d76b866a1b02564a46abbaadb3d4da3b4231a5290c5613a05965b283
SHA5129711f0bcacca4823fe01293f4dbc8eef95035b858a1801ac84cb3bd7d050e9669a9312947ba2941b4b761d8983794696b87b84f9fa3c457b851c59b843b38805
-
Filesize
737KB
MD5cbcf5a947412fb62c35d0a049e52fe6d
SHA16b994a5057c277ee21585865c324206029c4e094
SHA256b3d89672d76b866a1b02564a46abbaadb3d4da3b4231a5290c5613a05965b283
SHA5129711f0bcacca4823fe01293f4dbc8eef95035b858a1801ac84cb3bd7d050e9669a9312947ba2941b4b761d8983794696b87b84f9fa3c457b851c59b843b38805
-
Filesize
490KB
MD5624a694a779aabcba2f67cdf73380fb2
SHA11dd5418500132310b43669a55a85870e01818446
SHA25613f4f8bbc394b2ed5f814b23dbe59462e6c32a3f4f105c3cef01379999baf2af
SHA51258a5ee1e184663f20402d9f3e3df4bcbfb0d70ba25414533b1477ec7213654360b5f93f4c73d81ea6eeedd80a04cfc8389227c18c48ec406db1a21dc78122921
-
Filesize
490KB
MD5624a694a779aabcba2f67cdf73380fb2
SHA11dd5418500132310b43669a55a85870e01818446
SHA25613f4f8bbc394b2ed5f814b23dbe59462e6c32a3f4f105c3cef01379999baf2af
SHA51258a5ee1e184663f20402d9f3e3df4bcbfb0d70ba25414533b1477ec7213654360b5f93f4c73d81ea6eeedd80a04cfc8389227c18c48ec406db1a21dc78122921
-
Filesize
293KB
MD5e4a7baef665a7149f4bc792748080240
SHA1d075ac42be23b5907fbebbf042bb65efdbdcd919
SHA256354b2754845d6a195c1c5ddb130039bd6bf52329b6cdffffd9f86b59ebf616dd
SHA5124a456286e0d477e311b0704d5b0a68be487c02cf57b17e00cadac2e8b442e09a84f43b6141fddddd9106292603a515692cc22ad2e00c957d5806d9a5ea99ebe5
-
Filesize
293KB
MD5e4a7baef665a7149f4bc792748080240
SHA1d075ac42be23b5907fbebbf042bb65efdbdcd919
SHA256354b2754845d6a195c1c5ddb130039bd6bf52329b6cdffffd9f86b59ebf616dd
SHA5124a456286e0d477e311b0704d5b0a68be487c02cf57b17e00cadac2e8b442e09a84f43b6141fddddd9106292603a515692cc22ad2e00c957d5806d9a5ea99ebe5
-
Filesize
12KB
MD53f82e2a3ce72b5fe38f4c572a65cfd17
SHA14ad8ee72d22d3a675d4949d3a8d9cbfa11c4a1c5
SHA256a5676d335c1738d96ec21afb4e9acd66cbded2bb7361d1b4e32190aad0102a9f
SHA5127f77e63d6e3733912d1664431f6579572b6ab6ebaa039610be77df480815da064e674053f54f63fa8953765e6a1a065c2e8fa12a23ca96cf720d3e76109c3255
-
Filesize
12KB
MD53f82e2a3ce72b5fe38f4c572a65cfd17
SHA14ad8ee72d22d3a675d4949d3a8d9cbfa11c4a1c5
SHA256a5676d335c1738d96ec21afb4e9acd66cbded2bb7361d1b4e32190aad0102a9f
SHA5127f77e63d6e3733912d1664431f6579572b6ab6ebaa039610be77df480815da064e674053f54f63fa8953765e6a1a065c2e8fa12a23ca96cf720d3e76109c3255
-
Filesize
285KB
MD5084df43ce4ce72edc3c48945cd9cd269
SHA168f2bbdf8320b3058f5977738ef3cbc4c2af884e
SHA25672db416c89ad5152f533a8ed977de539c74dfdd5f323d0121d831f99d7baf737
SHA512ad8fa04c3d46f32edbf655f4b4c02ce8bf498f268b470dbf94d8616973359643e0ef388d0f1ad1c10f705bc489897c473c298f48b125211140b367506dbe9eda
-
Filesize
285KB
MD5084df43ce4ce72edc3c48945cd9cd269
SHA168f2bbdf8320b3058f5977738ef3cbc4c2af884e
SHA25672db416c89ad5152f533a8ed977de539c74dfdd5f323d0121d831f99d7baf737
SHA512ad8fa04c3d46f32edbf655f4b4c02ce8bf498f268b470dbf94d8616973359643e0ef388d0f1ad1c10f705bc489897c473c298f48b125211140b367506dbe9eda