Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2023, 11:12

General

  • Target

    file.exe

  • Size

    876KB

  • MD5

    017a82da7f811fc92a57a3b630c246e3

  • SHA1

    0e411d8bdc009d3fd50f9983a0ca9c7d62fd8c72

  • SHA256

    bde70ac579d1b9ce2d8bef8c8023debec0ca1a0e3cac07ea465e25b32aa0602a

  • SHA512

    2d4932aa837920d66241cd422617dbbde3e2733d8874d5757687a44716321f3df12fc4620dea22a8556d12427e70239a4e210e1e3fd0870b831ada92d703a5a9

  • SSDEEP

    12288:gMrfy90VY+asDkUK5UswGw6q8UJMT07e4sYuKgeAf2vFKgfheaz4ZxZWhMt5otF6:Pyb+ZDk9U3Mie4sQjf4ZxZWhntmB

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 4 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:900
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 268
                7⤵
                • Program crash
                PID:2628
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 284
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:2732

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

          Filesize

          737KB

          MD5

          0f1e6bd57eb05a9fd74ff70b15d82ad2

          SHA1

          a2e2ce16c2b0e838c7d304359c08b631c810e321

          SHA256

          d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f

          SHA512

          68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

          Filesize

          737KB

          MD5

          0f1e6bd57eb05a9fd74ff70b15d82ad2

          SHA1

          a2e2ce16c2b0e838c7d304359c08b631c810e321

          SHA256

          d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f

          SHA512

          68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

          Filesize

          490KB

          MD5

          eaf5703824f4cd6826d0b72d5d4858be

          SHA1

          ce3b239c05f9c18c1e988e71f38114fcf4d1445e

          SHA256

          1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312

          SHA512

          b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

          Filesize

          490KB

          MD5

          eaf5703824f4cd6826d0b72d5d4858be

          SHA1

          ce3b239c05f9c18c1e988e71f38114fcf4d1445e

          SHA256

          1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312

          SHA512

          b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

          Filesize

          293KB

          MD5

          270fed371af6acb335e5177f1d654d85

          SHA1

          c3fc74b07b2a5596edc0f347b1a11bd77ec5e613

          SHA256

          f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958

          SHA512

          28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

          Filesize

          293KB

          MD5

          270fed371af6acb335e5177f1d654d85

          SHA1

          c3fc74b07b2a5596edc0f347b1a11bd77ec5e613

          SHA256

          f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958

          SHA512

          28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

          Filesize

          12KB

          MD5

          8d04e032bc6ad6b3ba2b7998e65e6f13

          SHA1

          66c8a49b5597f8fdab0bbe708c0335f85ef19986

          SHA256

          90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf

          SHA512

          efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

          Filesize

          12KB

          MD5

          8d04e032bc6ad6b3ba2b7998e65e6f13

          SHA1

          66c8a49b5597f8fdab0bbe708c0335f85ef19986

          SHA256

          90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf

          SHA512

          efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

          Filesize

          737KB

          MD5

          0f1e6bd57eb05a9fd74ff70b15d82ad2

          SHA1

          a2e2ce16c2b0e838c7d304359c08b631c810e321

          SHA256

          d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f

          SHA512

          68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

          Filesize

          737KB

          MD5

          0f1e6bd57eb05a9fd74ff70b15d82ad2

          SHA1

          a2e2ce16c2b0e838c7d304359c08b631c810e321

          SHA256

          d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f

          SHA512

          68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

          Filesize

          490KB

          MD5

          eaf5703824f4cd6826d0b72d5d4858be

          SHA1

          ce3b239c05f9c18c1e988e71f38114fcf4d1445e

          SHA256

          1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312

          SHA512

          b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

          Filesize

          490KB

          MD5

          eaf5703824f4cd6826d0b72d5d4858be

          SHA1

          ce3b239c05f9c18c1e988e71f38114fcf4d1445e

          SHA256

          1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312

          SHA512

          b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

        • \Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

          Filesize

          293KB

          MD5

          270fed371af6acb335e5177f1d654d85

          SHA1

          c3fc74b07b2a5596edc0f347b1a11bd77ec5e613

          SHA256

          f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958

          SHA512

          28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

        • \Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

          Filesize

          293KB

          MD5

          270fed371af6acb335e5177f1d654d85

          SHA1

          c3fc74b07b2a5596edc0f347b1a11bd77ec5e613

          SHA256

          f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958

          SHA512

          28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

          Filesize

          12KB

          MD5

          8d04e032bc6ad6b3ba2b7998e65e6f13

          SHA1

          66c8a49b5597f8fdab0bbe708c0335f85ef19986

          SHA256

          90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf

          SHA512

          efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • \Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

          Filesize

          285KB

          MD5

          890f04e0a2f7f9b29f432ae5d7829143

          SHA1

          ce9553b4addcefb38e23059d6a42f384cce8f8e4

          SHA256

          f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8

          SHA512

          0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

        • memory/2708-41-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

          Filesize

          9.9MB

        • memory/2708-40-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

          Filesize

          9.9MB

        • memory/2708-38-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

          Filesize

          40KB

        • memory/2708-39-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

          Filesize

          9.9MB

        • memory/2948-54-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

        • memory/2948-53-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-55-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-49-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-59-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-57-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-48-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-52-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-51-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2948-50-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB