Analysis

  • max time kernel
    128s
  • max time network
    133s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2023, 11:51

General

  • Target

    5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe

  • Size

    1.4MB

  • MD5

    5c3c2e95d957e64fa6ac51884c6f9bec

  • SHA1

    9bdf1e46cde3de534f000d566c30fc2beeeb25c1

  • SHA256

    5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b

  • SHA512

    eda694f7d097d9e94a5cea7a771fc0704e804029f9ffc82d93f30a73f24ae1e5d7ff206cf9b8b10a478c71a05a430f954be6b28b5b5733d7097982a787b2c12a

  • SSDEEP

    24576:hy4EaO0r7jWyqtumc7vBvy3MaLGrI8/NN3v9OPkSxyxppL+maSx50nrlZHi:U4nOK7jWyqImKvBK38rISNf9FfCrlZH

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe
    "C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2840
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:760
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:424
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:360
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:5104
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 568
                    8⤵
                    • Program crash
                    PID:2652
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 604
                  7⤵
                  • Program crash
                  PID:2604

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe

            Filesize

            1.3MB

            MD5

            cecb33e52844eed2ab12ef26fe7edcc6

            SHA1

            72585c363dfcb6f19c150f2808f612b6ee1c1bab

            SHA256

            b03d4ca343454cf713e8b258bb72f3d3dc228728838b2213f0556bfdb9e16c23

            SHA512

            4befbcabfa457c87e7a1450caecfb41b2096c18da165cd52ad2b6041a7d9353ec0377cf21d5aff12424be1b58a45f83df13fa98f82bcac5df7101dcf83e32b3e

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe

            Filesize

            1.3MB

            MD5

            cecb33e52844eed2ab12ef26fe7edcc6

            SHA1

            72585c363dfcb6f19c150f2808f612b6ee1c1bab

            SHA256

            b03d4ca343454cf713e8b258bb72f3d3dc228728838b2213f0556bfdb9e16c23

            SHA512

            4befbcabfa457c87e7a1450caecfb41b2096c18da165cd52ad2b6041a7d9353ec0377cf21d5aff12424be1b58a45f83df13fa98f82bcac5df7101dcf83e32b3e

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe

            Filesize

            1.1MB

            MD5

            a30f8618a2d328ed1cf3c6bd4d7501cf

            SHA1

            8f2a3ff8babc7afe6f369988fd0c25be6d6dfc29

            SHA256

            fe65dea61980c9c653a12a5a4fffdea6bad6f4052af04e1c3faab3287b4182a6

            SHA512

            efec5d7dd2b75ba031c589b5405acca67889ce37423ad35516441d4462f975f97792e81f2ec5f28dd41ed50c768c64f2a3e09634cca1fefa16178a158505ec21

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe

            Filesize

            1.1MB

            MD5

            a30f8618a2d328ed1cf3c6bd4d7501cf

            SHA1

            8f2a3ff8babc7afe6f369988fd0c25be6d6dfc29

            SHA256

            fe65dea61980c9c653a12a5a4fffdea6bad6f4052af04e1c3faab3287b4182a6

            SHA512

            efec5d7dd2b75ba031c589b5405acca67889ce37423ad35516441d4462f975f97792e81f2ec5f28dd41ed50c768c64f2a3e09634cca1fefa16178a158505ec21

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe

            Filesize

            919KB

            MD5

            010abe4746330faa6c6ef72656ec1a94

            SHA1

            9a2b85a1e992a2bf5b85a52607793f821758fca8

            SHA256

            2ed891e2d101d95a76711417d84522b3a4e562d2ac535343ce3db8af3e90a1ab

            SHA512

            92dd7de4d8bd2d352e5c670d03fb7ce9e88c4096111ca2bc2b46e703a3df1564903327eaca213cfcea4414cb722c3d4dadfbcd4645ef6bf822d2aa33cdb9bf16

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe

            Filesize

            919KB

            MD5

            010abe4746330faa6c6ef72656ec1a94

            SHA1

            9a2b85a1e992a2bf5b85a52607793f821758fca8

            SHA256

            2ed891e2d101d95a76711417d84522b3a4e562d2ac535343ce3db8af3e90a1ab

            SHA512

            92dd7de4d8bd2d352e5c670d03fb7ce9e88c4096111ca2bc2b46e703a3df1564903327eaca213cfcea4414cb722c3d4dadfbcd4645ef6bf822d2aa33cdb9bf16

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe

            Filesize

            483KB

            MD5

            fa094e16096130944bb7b7521a316e51

            SHA1

            6989255601a8edefbc5314825fddf7c797819164

            SHA256

            f792b26069c47486f75901a4c96b4cac1b7f30fcf52f386812d0267b3c653d7d

            SHA512

            30a6ae9fc3c54d394edae44d59b38c8e5bbcb8a409263f58ed39a69e2134749356c275878b6adbd285114e262e75db7c922d22d56ded37a96a4cd20ed1e71527

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe

            Filesize

            483KB

            MD5

            fa094e16096130944bb7b7521a316e51

            SHA1

            6989255601a8edefbc5314825fddf7c797819164

            SHA256

            f792b26069c47486f75901a4c96b4cac1b7f30fcf52f386812d0267b3c653d7d

            SHA512

            30a6ae9fc3c54d394edae44d59b38c8e5bbcb8a409263f58ed39a69e2134749356c275878b6adbd285114e262e75db7c922d22d56ded37a96a4cd20ed1e71527

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe

            Filesize

            12KB

            MD5

            895ee5b54370e21b75e65f2485359e6a

            SHA1

            393263f8cc26a011dd76540cdcbda413c3b500a2

            SHA256

            703ccd19b8eeba2e59483799736d39d46a2fa781764aaa9c73449fe9b8e2913c

            SHA512

            602113ba3dc01789d8ba17db5e9b740c49bc7d49f3c0468cfe49723941b419ce4cb17a5d2ef6437b080e6fbdb90850058eaac6020121343ef43a8e746f6601a6

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe

            Filesize

            12KB

            MD5

            895ee5b54370e21b75e65f2485359e6a

            SHA1

            393263f8cc26a011dd76540cdcbda413c3b500a2

            SHA256

            703ccd19b8eeba2e59483799736d39d46a2fa781764aaa9c73449fe9b8e2913c

            SHA512

            602113ba3dc01789d8ba17db5e9b740c49bc7d49f3c0468cfe49723941b419ce4cb17a5d2ef6437b080e6fbdb90850058eaac6020121343ef43a8e746f6601a6

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe

            Filesize

            1.4MB

            MD5

            93729dd51f21b7c2d4737f47d39e63c2

            SHA1

            e358d85a6562c9150cc265ed63c6e8eec0d68b0a

            SHA256

            990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1

            SHA512

            278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe

            Filesize

            1.4MB

            MD5

            93729dd51f21b7c2d4737f47d39e63c2

            SHA1

            e358d85a6562c9150cc265ed63c6e8eec0d68b0a

            SHA256

            990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1

            SHA512

            278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50

          • memory/424-35-0x0000000000570000-0x000000000057A000-memory.dmp

            Filesize

            40KB

          • memory/424-36-0x00007FFC5C4D0000-0x00007FFC5CEBC000-memory.dmp

            Filesize

            9.9MB

          • memory/424-38-0x00007FFC5C4D0000-0x00007FFC5CEBC000-memory.dmp

            Filesize

            9.9MB

          • memory/5104-42-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/5104-45-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/5104-46-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/5104-48-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB