Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 11:52
Static task
static1
Behavioral task
behavioral1
Sample
2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe
Resource
win10-20230915-en
General
-
Target
2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe
-
Size
1.4MB
-
MD5
265a21d257fff5a0c8a61e9afc5966ff
-
SHA1
427c6ace9acb6f40a057defa09a8103e0441e600
-
SHA256
2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2
-
SHA512
d7da9a669e8aa98c9cea0ad1e2a5db03ad1e70afe642dd445dbbd3180d8780b9d02ea4c1f4187ea861e615dc480df6e3c956c4d0c89ad92fa50d845dbca501f4
-
SSDEEP
24576:zyznYmPZGUre3xmDV5lBojoBN4i1xnqXf1HqgRVCjzAQ:GrYSZGkhBoaNlxI1XC
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afc8-26.dat healer behavioral1/files/0x000700000001afc8-27.dat healer behavioral1/memory/4616-28-0x00000000008E0000-0x00000000008EA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1Mq36LP1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1Mq36LP1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1Mq36LP1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1Mq36LP1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1Mq36LP1.exe -
Executes dropped EXE 5 IoCs
pid Process 3852 Sp8VC05.exe 2248 bW7nF91.exe 3880 Qj3ee99.exe 4616 1Mq36LP1.exe 3284 2Tp5551.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1Mq36LP1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" bW7nF91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Qj3ee99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Sp8VC05.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3284 set thread context of 2572 3284 2Tp5551.exe 75 -
Program crash 2 IoCs
pid pid_target Process procid_target 940 3284 WerFault.exe 73 624 2572 WerFault.exe 75 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4616 1Mq36LP1.exe 4616 1Mq36LP1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4616 1Mq36LP1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 5016 wrote to memory of 3852 5016 2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe 69 PID 5016 wrote to memory of 3852 5016 2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe 69 PID 5016 wrote to memory of 3852 5016 2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe 69 PID 3852 wrote to memory of 2248 3852 Sp8VC05.exe 70 PID 3852 wrote to memory of 2248 3852 Sp8VC05.exe 70 PID 3852 wrote to memory of 2248 3852 Sp8VC05.exe 70 PID 2248 wrote to memory of 3880 2248 bW7nF91.exe 71 PID 2248 wrote to memory of 3880 2248 bW7nF91.exe 71 PID 2248 wrote to memory of 3880 2248 bW7nF91.exe 71 PID 3880 wrote to memory of 4616 3880 Qj3ee99.exe 72 PID 3880 wrote to memory of 4616 3880 Qj3ee99.exe 72 PID 3880 wrote to memory of 3284 3880 Qj3ee99.exe 73 PID 3880 wrote to memory of 3284 3880 Qj3ee99.exe 73 PID 3880 wrote to memory of 3284 3880 Qj3ee99.exe 73 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75 PID 3284 wrote to memory of 2572 3284 2Tp5551.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe"C:\Users\Admin\AppData\Local\Temp\2854319baf4234aaa1fb4e994a9f25407511239049a7aceea4a7295d666928e2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sp8VC05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sp8VC05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bW7nF91.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bW7nF91.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qj3ee99.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qj3ee99.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Mq36LP1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Mq36LP1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Tp5551.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Tp5551.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 5687⤵
- Program crash
PID:624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1486⤵
- Program crash
PID:940
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f1a7f03bfbb59bf487ef259d076a19ab
SHA142dd1de8a9d431a1c558d65d6468a2070b762671
SHA256012c9526092e4f3200b87ad6b1f2596c64beda212b9b4b94d495399b22a35ef3
SHA512e79a73ca5287c9300b9a25d2a576d89aec6173d590cdab113a4663ecdf30d3da06f92c3ea0b7da3d0a1ccbd79500321881a30f6c6948cf825bdab61616016ff8
-
Filesize
1.3MB
MD5f1a7f03bfbb59bf487ef259d076a19ab
SHA142dd1de8a9d431a1c558d65d6468a2070b762671
SHA256012c9526092e4f3200b87ad6b1f2596c64beda212b9b4b94d495399b22a35ef3
SHA512e79a73ca5287c9300b9a25d2a576d89aec6173d590cdab113a4663ecdf30d3da06f92c3ea0b7da3d0a1ccbd79500321881a30f6c6948cf825bdab61616016ff8
-
Filesize
871KB
MD5b903f0f37d77996561706308693fb116
SHA1a1dd2a5cac7cd19c7236a2e5afadeb67235f3fd4
SHA256d8ba5c74b13e0215c8670028a30fc330d0fa22e485767c97e265eabfa3ac5dc7
SHA512bae47f56f922c2339fac095f8de6c8552b4816996f192eee92359d8514197b1bc5ae889436d4f792ea64e66b2e9e6954bf90503ee3428a4185757540cfd01a77
-
Filesize
871KB
MD5b903f0f37d77996561706308693fb116
SHA1a1dd2a5cac7cd19c7236a2e5afadeb67235f3fd4
SHA256d8ba5c74b13e0215c8670028a30fc330d0fa22e485767c97e265eabfa3ac5dc7
SHA512bae47f56f922c2339fac095f8de6c8552b4816996f192eee92359d8514197b1bc5ae889436d4f792ea64e66b2e9e6954bf90503ee3428a4185757540cfd01a77
-
Filesize
483KB
MD5ca955a58396ae9a4cfd4ca877ab4f260
SHA1e93abfd2b3ae9d611bd4bc963759ab631ab41c74
SHA2563974802820fbbfca4ae2fd7df79328e26383626d2dca3f40a2b294f518114e71
SHA51241deed27324c55cad9b8c5c300617e6256a65aca6a7e541f057b10caf42dbfe276a8fd9855857e0ce2094d9bd67032a567b9e02de5b6de5f49ca2f7394d4fadd
-
Filesize
483KB
MD5ca955a58396ae9a4cfd4ca877ab4f260
SHA1e93abfd2b3ae9d611bd4bc963759ab631ab41c74
SHA2563974802820fbbfca4ae2fd7df79328e26383626d2dca3f40a2b294f518114e71
SHA51241deed27324c55cad9b8c5c300617e6256a65aca6a7e541f057b10caf42dbfe276a8fd9855857e0ce2094d9bd67032a567b9e02de5b6de5f49ca2f7394d4fadd
-
Filesize
12KB
MD5efe503df4660f601e259680649479d25
SHA1c4584f364de6895d181e008838cecbf5edb44569
SHA256b77c5f97f9ff6bbeb61277e064d66b21f5427b6b8c366c7a0f9028aad8413b1e
SHA51265c12cf1a5b9844c35f43c60e16c4bce44c8878aa367b8dfae398867180283d702fbdaf2f8b5563b6a3f0268f8d4644115ee27694e8d0244e415804aa1a308f4
-
Filesize
12KB
MD5efe503df4660f601e259680649479d25
SHA1c4584f364de6895d181e008838cecbf5edb44569
SHA256b77c5f97f9ff6bbeb61277e064d66b21f5427b6b8c366c7a0f9028aad8413b1e
SHA51265c12cf1a5b9844c35f43c60e16c4bce44c8878aa367b8dfae398867180283d702fbdaf2f8b5563b6a3f0268f8d4644115ee27694e8d0244e415804aa1a308f4
-
Filesize
1.4MB
MD593729dd51f21b7c2d4737f47d39e63c2
SHA1e358d85a6562c9150cc265ed63c6e8eec0d68b0a
SHA256990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1
SHA512278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50
-
Filesize
1.4MB
MD593729dd51f21b7c2d4737f47d39e63c2
SHA1e358d85a6562c9150cc265ed63c6e8eec0d68b0a
SHA256990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1
SHA512278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50