Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 11:37
Static task
static1
Behavioral task
behavioral1
Sample
a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe
Resource
win10-20230915-en
General
-
Target
a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe
-
Size
1.0MB
-
MD5
afaef663558d88018abcf96a25a2fcfc
-
SHA1
2bdc8c48d79ddd00245b4ff0dabbd5bc902a74da
-
SHA256
a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43
-
SHA512
4039d0a242e800c71cd7907747c980daa5f3d4200aa21a51d0ac85c6f941834d041fc0198a07434cb1de67a32277d313ee8f109550a1c096524b40717138f037
-
SSDEEP
24576:my3BaDZJqm6GCJLgP93opT07RTtqqb7/FcWItrhbJERkX+cR:13sZsLLghXDr7yrTEuO
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001af9b-27.dat healer behavioral1/files/0x000700000001af9b-26.dat healer behavioral1/memory/356-28-0x0000000000700000-0x000000000070A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1QQ29wl4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1QQ29wl4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1QQ29wl4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1QQ29wl4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1QQ29wl4.exe -
Executes dropped EXE 5 IoCs
pid Process 4156 GU9CH02.exe 2640 KV7JV92.exe 3808 De7mV25.exe 356 1QQ29wl4.exe 4872 2oS2746.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1QQ29wl4.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" GU9CH02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" KV7JV92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" De7mV25.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4872 set thread context of 5024 4872 2oS2746.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 796 4872 WerFault.exe 74 1920 5024 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 356 1QQ29wl4.exe 356 1QQ29wl4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 356 1QQ29wl4.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3132 wrote to memory of 4156 3132 a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe 70 PID 3132 wrote to memory of 4156 3132 a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe 70 PID 3132 wrote to memory of 4156 3132 a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe 70 PID 4156 wrote to memory of 2640 4156 GU9CH02.exe 71 PID 4156 wrote to memory of 2640 4156 GU9CH02.exe 71 PID 4156 wrote to memory of 2640 4156 GU9CH02.exe 71 PID 2640 wrote to memory of 3808 2640 KV7JV92.exe 72 PID 2640 wrote to memory of 3808 2640 KV7JV92.exe 72 PID 2640 wrote to memory of 3808 2640 KV7JV92.exe 72 PID 3808 wrote to memory of 356 3808 De7mV25.exe 73 PID 3808 wrote to memory of 356 3808 De7mV25.exe 73 PID 3808 wrote to memory of 4872 3808 De7mV25.exe 74 PID 3808 wrote to memory of 4872 3808 De7mV25.exe 74 PID 3808 wrote to memory of 4872 3808 De7mV25.exe 74 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76 PID 4872 wrote to memory of 5024 4872 2oS2746.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe"C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1927⤵
- Program crash
PID:1920
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1446⤵
- Program crash
PID:796
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927KB
MD54f0b4ba453fe8cbc4783c9874d79bc6e
SHA1f642397f98a0f32afd1b7ef3da93c7e7ce76a6cd
SHA2566a851e3ae7ba5fc42885cf5f972c74b8c0183aac81c0da0558db4c04173821fe
SHA5122ac44e4a7ea041ea0127e9b99308a114aa9ac0112f21c64e2461e9d648cc0dbb04090a842b06ad4fc67f15d6e08b7a22d17adc1d3056f1edfdd7c5faea37c210
-
Filesize
927KB
MD54f0b4ba453fe8cbc4783c9874d79bc6e
SHA1f642397f98a0f32afd1b7ef3da93c7e7ce76a6cd
SHA2566a851e3ae7ba5fc42885cf5f972c74b8c0183aac81c0da0558db4c04173821fe
SHA5122ac44e4a7ea041ea0127e9b99308a114aa9ac0112f21c64e2461e9d648cc0dbb04090a842b06ad4fc67f15d6e08b7a22d17adc1d3056f1edfdd7c5faea37c210
-
Filesize
680KB
MD5190605d9aff0c8f997553add1f73b7f6
SHA1a5add285aa928ae1d5201d8f2b5b5bdb2cc32d31
SHA2569a7b985322e6c953d1c941857db7e377143a1ecde7f101e13d2960bbd835ae75
SHA51229cd4239f635bf0074c877550781a83667822efe5a433c29eeceb4e1b408eb378feb83bafd4b03f5721514577d49f0076ebec6056dae38064e2b41dca15c06c7
-
Filesize
680KB
MD5190605d9aff0c8f997553add1f73b7f6
SHA1a5add285aa928ae1d5201d8f2b5b5bdb2cc32d31
SHA2569a7b985322e6c953d1c941857db7e377143a1ecde7f101e13d2960bbd835ae75
SHA51229cd4239f635bf0074c877550781a83667822efe5a433c29eeceb4e1b408eb378feb83bafd4b03f5721514577d49f0076ebec6056dae38064e2b41dca15c06c7
-
Filesize
483KB
MD5e1f94ea11b4051f09af96caec6603fe9
SHA107f7b53d308f10c964c1fe0a505d0f2bcd94b920
SHA2566bc479573eba31861da2b23f961fcb5b7ab7cbf44e9fb55661133894c581d344
SHA512c70695762550f7dc7fffca68fe95c427dd5602ed9e0227a275932d0aec1f24007b92844bd45b0af75cc9fe32ccac137177b612d4210b26e50a86eea57282428e
-
Filesize
483KB
MD5e1f94ea11b4051f09af96caec6603fe9
SHA107f7b53d308f10c964c1fe0a505d0f2bcd94b920
SHA2566bc479573eba31861da2b23f961fcb5b7ab7cbf44e9fb55661133894c581d344
SHA512c70695762550f7dc7fffca68fe95c427dd5602ed9e0227a275932d0aec1f24007b92844bd45b0af75cc9fe32ccac137177b612d4210b26e50a86eea57282428e
-
Filesize
12KB
MD5523b4afa2fe40bd2aad22dd509a91946
SHA1b0eb9975e4ff08253e1294b8b546fea6bfaf6247
SHA256bfbc2077b6d96f82c015b3e0df9c86e333277c8a217e13ed946f3a6d35b27e25
SHA512490a042154426a8c12f99d313e980fe203f48182b964af6effa0d2012e66fc252608deb1e0310d5043a2a3d8c278ec04c6b8f56d3e66e1317ab037fc8d64b1a5
-
Filesize
12KB
MD5523b4afa2fe40bd2aad22dd509a91946
SHA1b0eb9975e4ff08253e1294b8b546fea6bfaf6247
SHA256bfbc2077b6d96f82c015b3e0df9c86e333277c8a217e13ed946f3a6d35b27e25
SHA512490a042154426a8c12f99d313e980fe203f48182b964af6effa0d2012e66fc252608deb1e0310d5043a2a3d8c278ec04c6b8f56d3e66e1317ab037fc8d64b1a5
-
Filesize
1.4MB
MD5ac3d748bd53abd00abcf57a2c3e1f2ad
SHA13f082497aad436fac809fe19b98319c1bcbba4c6
SHA256df9e30d9ab2d4f2a046e9807b7f7fca2181b8ef0319a9c4efc0124373e81d601
SHA512a1314bede955a55a4049540ad08c7f5e8b5f5b6b6e8b56a1934dff7432eafd3d8999d878f13face0ebac1c0b48f6b288adbb8c8a28fe5b5679eb9ac8c8151bdd
-
Filesize
1.4MB
MD5ac3d748bd53abd00abcf57a2c3e1f2ad
SHA13f082497aad436fac809fe19b98319c1bcbba4c6
SHA256df9e30d9ab2d4f2a046e9807b7f7fca2181b8ef0319a9c4efc0124373e81d601
SHA512a1314bede955a55a4049540ad08c7f5e8b5f5b6b6e8b56a1934dff7432eafd3d8999d878f13face0ebac1c0b48f6b288adbb8c8a28fe5b5679eb9ac8c8151bdd