Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe
Resource
win10-20230915-en
General
-
Target
d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe
-
Size
877KB
-
MD5
85f99044de0e164f7cebd17756657fe4
-
SHA1
c312f17a2a0b1a2be3cb2032c21c969690cf67db
-
SHA256
d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332
-
SHA512
732eb2478bbd88da1b46989dd8f9cab7758851dc876bbe7a2db1c1c1ee6b73410b4a91d5d216359dafae83bfcd2b23d7bc22e776bab12e711258a80d867c99b4
-
SSDEEP
12288:hMrvy90qhJitWyiAeEChRhVXHY+dNMFIn3BIwzjlsm1JwEQy1hFMuHki/Pa:+y9hJ6c3fP34xiaqsYeEnj+i/i
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001af44-26.dat healer behavioral1/files/0x000700000001af44-27.dat healer behavioral1/memory/3008-28-0x0000000000330000-0x000000000033A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1jh00se4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1jh00se4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1jh00se4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1jh00se4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1jh00se4.exe -
Executes dropped EXE 5 IoCs
pid Process 4016 sR3Rd97.exe 4192 yo7Gg07.exe 3188 Ju5sm97.exe 3008 1jh00se4.exe 1420 2iX7790.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1jh00se4.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sR3Rd97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" yo7Gg07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Ju5sm97.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1420 set thread context of 600 1420 2iX7790.exe 75 -
Program crash 2 IoCs
pid pid_target Process procid_target 1796 1420 WerFault.exe 73 4560 600 WerFault.exe 75 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3008 1jh00se4.exe 3008 1jh00se4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3008 1jh00se4.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4848 wrote to memory of 4016 4848 d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe 69 PID 4848 wrote to memory of 4016 4848 d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe 69 PID 4848 wrote to memory of 4016 4848 d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe 69 PID 4016 wrote to memory of 4192 4016 sR3Rd97.exe 70 PID 4016 wrote to memory of 4192 4016 sR3Rd97.exe 70 PID 4016 wrote to memory of 4192 4016 sR3Rd97.exe 70 PID 4192 wrote to memory of 3188 4192 yo7Gg07.exe 71 PID 4192 wrote to memory of 3188 4192 yo7Gg07.exe 71 PID 4192 wrote to memory of 3188 4192 yo7Gg07.exe 71 PID 3188 wrote to memory of 3008 3188 Ju5sm97.exe 72 PID 3188 wrote to memory of 3008 3188 Ju5sm97.exe 72 PID 3188 wrote to memory of 1420 3188 Ju5sm97.exe 73 PID 3188 wrote to memory of 1420 3188 Ju5sm97.exe 73 PID 3188 wrote to memory of 1420 3188 Ju5sm97.exe 73 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75 PID 1420 wrote to memory of 600 1420 2iX7790.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe"C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 5687⤵
- Program crash
PID:4560
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1406⤵
- Program crash
PID:1796
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD5449a335987e102e2fd2e8b7696b3ae4d
SHA1eec71f904634c0ace885d776539ea8a21686258c
SHA256ab9471b5802658f8093fc0846dd7d1a1f37382ae324ad128296caf921eefc4a0
SHA51287ffced9996af916d40ded09a81f4bf0f971ae4039a443d732b7002f02ff18ffbe8b48a2e441be1df971eb9ad2c8e2becbccdad17327a006c4160c13d0ec2dbe
-
Filesize
737KB
MD5449a335987e102e2fd2e8b7696b3ae4d
SHA1eec71f904634c0ace885d776539ea8a21686258c
SHA256ab9471b5802658f8093fc0846dd7d1a1f37382ae324ad128296caf921eefc4a0
SHA51287ffced9996af916d40ded09a81f4bf0f971ae4039a443d732b7002f02ff18ffbe8b48a2e441be1df971eb9ad2c8e2becbccdad17327a006c4160c13d0ec2dbe
-
Filesize
490KB
MD561e5ce1b3666d253136d70364ff287a0
SHA1b37179bdccd9255c29dff74830fe8845bfa49f5f
SHA2568d3c2a4429da9f4cb01ccf7e1b028d1b162877dc992f4f55715c777355b13549
SHA512793efbfdfbcc519f0453d0a17c62705f84d6b0d8bf646d3ba0c4be769cc0972f8046450ec724f2efb68587f6aad2f5a11e5cbd7c40ea99c6e051b9712a655d8f
-
Filesize
490KB
MD561e5ce1b3666d253136d70364ff287a0
SHA1b37179bdccd9255c29dff74830fe8845bfa49f5f
SHA2568d3c2a4429da9f4cb01ccf7e1b028d1b162877dc992f4f55715c777355b13549
SHA512793efbfdfbcc519f0453d0a17c62705f84d6b0d8bf646d3ba0c4be769cc0972f8046450ec724f2efb68587f6aad2f5a11e5cbd7c40ea99c6e051b9712a655d8f
-
Filesize
293KB
MD57c962d722ca137a161572106c5098c6c
SHA15276cfeead9bf4bc0ef540ac8faf602b8a47caa1
SHA2560b31683a3a7e024a810c71a4b9478212c9c8980969526a08a0fbffea820c0294
SHA512580d2920d58812d59f2bb2e4ae9809acf01db3e975b5a77ffe5a8d25870f65017bdd2eace11c2ab6a2da8ed5272d0378161295f622585c6474e3ca119cd08bd5
-
Filesize
293KB
MD57c962d722ca137a161572106c5098c6c
SHA15276cfeead9bf4bc0ef540ac8faf602b8a47caa1
SHA2560b31683a3a7e024a810c71a4b9478212c9c8980969526a08a0fbffea820c0294
SHA512580d2920d58812d59f2bb2e4ae9809acf01db3e975b5a77ffe5a8d25870f65017bdd2eace11c2ab6a2da8ed5272d0378161295f622585c6474e3ca119cd08bd5
-
Filesize
12KB
MD5385097ae848db5d88fc9b42cd72b4a49
SHA1033079fd36b4e11dabe80332aa58da41fb8000fd
SHA256e38a99b236000d777a07464fa0ef480eb1452ff17ceef0ee762faa7549ed81bc
SHA512005fb77acd98fc4a8d2cb5289aa5b86f6e6710f85a963baa4e23a38c2840316f36fb32ed2e1bc87d9d208a99f452c7f817365535b543968e1df4629012f967e1
-
Filesize
12KB
MD5385097ae848db5d88fc9b42cd72b4a49
SHA1033079fd36b4e11dabe80332aa58da41fb8000fd
SHA256e38a99b236000d777a07464fa0ef480eb1452ff17ceef0ee762faa7549ed81bc
SHA512005fb77acd98fc4a8d2cb5289aa5b86f6e6710f85a963baa4e23a38c2840316f36fb32ed2e1bc87d9d208a99f452c7f817365535b543968e1df4629012f967e1
-
Filesize
285KB
MD5cfa62f3674dfd5107a6864ad4084d56c
SHA14202d779d0b8d6aff3f373aedd2a1e83b19d8cb8
SHA2560ef2edf4bda629a64709ca401dcc3ff02269b16c03552a387b5b6c4fef621325
SHA512d8251c8aa9416cad54fa93d95493c7f05db14647361aace39edb9ce886ff40bcdb148a63e628c8d90f7dab617167f7bdf4794b5d0f83b40e2c5dcbf47b5bb687
-
Filesize
285KB
MD5cfa62f3674dfd5107a6864ad4084d56c
SHA14202d779d0b8d6aff3f373aedd2a1e83b19d8cb8
SHA2560ef2edf4bda629a64709ca401dcc3ff02269b16c03552a387b5b6c4fef621325
SHA512d8251c8aa9416cad54fa93d95493c7f05db14647361aace39edb9ce886ff40bcdb148a63e628c8d90f7dab617167f7bdf4794b5d0f83b40e2c5dcbf47b5bb687