Analysis
-
max time kernel
128s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 11:51
Static task
static1
Behavioral task
behavioral1
Sample
5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe
Resource
win10-20230915-en
General
-
Target
5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe
-
Size
1.4MB
-
MD5
5c3c2e95d957e64fa6ac51884c6f9bec
-
SHA1
9bdf1e46cde3de534f000d566c30fc2beeeb25c1
-
SHA256
5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b
-
SHA512
eda694f7d097d9e94a5cea7a771fc0704e804029f9ffc82d93f30a73f24ae1e5d7ff206cf9b8b10a478c71a05a430f954be6b28b5b5733d7097982a787b2c12a
-
SSDEEP
24576:hy4EaO0r7jWyqtumc7vBvy3MaLGrI8/NN3v9OPkSxyxppL+maSx50nrlZHi:U4nOK7jWyqImKvBK38rISNf9FfCrlZH
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afd9-32.dat healer behavioral1/files/0x000700000001afd9-34.dat healer behavioral1/memory/424-35-0x0000000000570000-0x000000000057A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q0773486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q0773486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q0773486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q0773486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q0773486.exe -
Executes dropped EXE 6 IoCs
pid Process 5040 z4236574.exe 5044 z1229832.exe 2840 z1863501.exe 760 z4311597.exe 424 q0773486.exe 360 r2240345.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q0773486.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z4311597.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4236574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z1229832.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z1863501.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 360 set thread context of 5104 360 r2240345.exe 77 -
Program crash 2 IoCs
pid pid_target Process procid_target 2604 360 WerFault.exe 75 2652 5104 WerFault.exe 77 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 424 q0773486.exe 424 q0773486.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 424 q0773486.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4896 wrote to memory of 5040 4896 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe 70 PID 4896 wrote to memory of 5040 4896 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe 70 PID 4896 wrote to memory of 5040 4896 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe 70 PID 5040 wrote to memory of 5044 5040 z4236574.exe 71 PID 5040 wrote to memory of 5044 5040 z4236574.exe 71 PID 5040 wrote to memory of 5044 5040 z4236574.exe 71 PID 5044 wrote to memory of 2840 5044 z1229832.exe 72 PID 5044 wrote to memory of 2840 5044 z1229832.exe 72 PID 5044 wrote to memory of 2840 5044 z1229832.exe 72 PID 2840 wrote to memory of 760 2840 z1863501.exe 73 PID 2840 wrote to memory of 760 2840 z1863501.exe 73 PID 2840 wrote to memory of 760 2840 z1863501.exe 73 PID 760 wrote to memory of 424 760 z4311597.exe 74 PID 760 wrote to memory of 424 760 z4311597.exe 74 PID 760 wrote to memory of 360 760 z4311597.exe 75 PID 760 wrote to memory of 360 760 z4311597.exe 75 PID 760 wrote to memory of 360 760 z4311597.exe 75 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77 PID 360 wrote to memory of 5104 360 r2240345.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe"C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 5688⤵
- Program crash
PID:2652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 6047⤵
- Program crash
PID:2604
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cecb33e52844eed2ab12ef26fe7edcc6
SHA172585c363dfcb6f19c150f2808f612b6ee1c1bab
SHA256b03d4ca343454cf713e8b258bb72f3d3dc228728838b2213f0556bfdb9e16c23
SHA5124befbcabfa457c87e7a1450caecfb41b2096c18da165cd52ad2b6041a7d9353ec0377cf21d5aff12424be1b58a45f83df13fa98f82bcac5df7101dcf83e32b3e
-
Filesize
1.3MB
MD5cecb33e52844eed2ab12ef26fe7edcc6
SHA172585c363dfcb6f19c150f2808f612b6ee1c1bab
SHA256b03d4ca343454cf713e8b258bb72f3d3dc228728838b2213f0556bfdb9e16c23
SHA5124befbcabfa457c87e7a1450caecfb41b2096c18da165cd52ad2b6041a7d9353ec0377cf21d5aff12424be1b58a45f83df13fa98f82bcac5df7101dcf83e32b3e
-
Filesize
1.1MB
MD5a30f8618a2d328ed1cf3c6bd4d7501cf
SHA18f2a3ff8babc7afe6f369988fd0c25be6d6dfc29
SHA256fe65dea61980c9c653a12a5a4fffdea6bad6f4052af04e1c3faab3287b4182a6
SHA512efec5d7dd2b75ba031c589b5405acca67889ce37423ad35516441d4462f975f97792e81f2ec5f28dd41ed50c768c64f2a3e09634cca1fefa16178a158505ec21
-
Filesize
1.1MB
MD5a30f8618a2d328ed1cf3c6bd4d7501cf
SHA18f2a3ff8babc7afe6f369988fd0c25be6d6dfc29
SHA256fe65dea61980c9c653a12a5a4fffdea6bad6f4052af04e1c3faab3287b4182a6
SHA512efec5d7dd2b75ba031c589b5405acca67889ce37423ad35516441d4462f975f97792e81f2ec5f28dd41ed50c768c64f2a3e09634cca1fefa16178a158505ec21
-
Filesize
919KB
MD5010abe4746330faa6c6ef72656ec1a94
SHA19a2b85a1e992a2bf5b85a52607793f821758fca8
SHA2562ed891e2d101d95a76711417d84522b3a4e562d2ac535343ce3db8af3e90a1ab
SHA51292dd7de4d8bd2d352e5c670d03fb7ce9e88c4096111ca2bc2b46e703a3df1564903327eaca213cfcea4414cb722c3d4dadfbcd4645ef6bf822d2aa33cdb9bf16
-
Filesize
919KB
MD5010abe4746330faa6c6ef72656ec1a94
SHA19a2b85a1e992a2bf5b85a52607793f821758fca8
SHA2562ed891e2d101d95a76711417d84522b3a4e562d2ac535343ce3db8af3e90a1ab
SHA51292dd7de4d8bd2d352e5c670d03fb7ce9e88c4096111ca2bc2b46e703a3df1564903327eaca213cfcea4414cb722c3d4dadfbcd4645ef6bf822d2aa33cdb9bf16
-
Filesize
483KB
MD5fa094e16096130944bb7b7521a316e51
SHA16989255601a8edefbc5314825fddf7c797819164
SHA256f792b26069c47486f75901a4c96b4cac1b7f30fcf52f386812d0267b3c653d7d
SHA51230a6ae9fc3c54d394edae44d59b38c8e5bbcb8a409263f58ed39a69e2134749356c275878b6adbd285114e262e75db7c922d22d56ded37a96a4cd20ed1e71527
-
Filesize
483KB
MD5fa094e16096130944bb7b7521a316e51
SHA16989255601a8edefbc5314825fddf7c797819164
SHA256f792b26069c47486f75901a4c96b4cac1b7f30fcf52f386812d0267b3c653d7d
SHA51230a6ae9fc3c54d394edae44d59b38c8e5bbcb8a409263f58ed39a69e2134749356c275878b6adbd285114e262e75db7c922d22d56ded37a96a4cd20ed1e71527
-
Filesize
12KB
MD5895ee5b54370e21b75e65f2485359e6a
SHA1393263f8cc26a011dd76540cdcbda413c3b500a2
SHA256703ccd19b8eeba2e59483799736d39d46a2fa781764aaa9c73449fe9b8e2913c
SHA512602113ba3dc01789d8ba17db5e9b740c49bc7d49f3c0468cfe49723941b419ce4cb17a5d2ef6437b080e6fbdb90850058eaac6020121343ef43a8e746f6601a6
-
Filesize
12KB
MD5895ee5b54370e21b75e65f2485359e6a
SHA1393263f8cc26a011dd76540cdcbda413c3b500a2
SHA256703ccd19b8eeba2e59483799736d39d46a2fa781764aaa9c73449fe9b8e2913c
SHA512602113ba3dc01789d8ba17db5e9b740c49bc7d49f3c0468cfe49723941b419ce4cb17a5d2ef6437b080e6fbdb90850058eaac6020121343ef43a8e746f6601a6
-
Filesize
1.4MB
MD593729dd51f21b7c2d4737f47d39e63c2
SHA1e358d85a6562c9150cc265ed63c6e8eec0d68b0a
SHA256990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1
SHA512278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50
-
Filesize
1.4MB
MD593729dd51f21b7c2d4737f47d39e63c2
SHA1e358d85a6562c9150cc265ed63c6e8eec0d68b0a
SHA256990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1
SHA512278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50