Analysis
-
max time kernel
125s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 11:44
Static task
static1
Behavioral task
behavioral1
Sample
dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe
Resource
win10-20230915-en
General
-
Target
dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe
-
Size
1.4MB
-
MD5
8e4050f33a24b4bd69e0923b4cc6ea79
-
SHA1
d2864d727178bca0842b88a22d7a468ad9fcbfd7
-
SHA256
dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb
-
SHA512
e1eea8b977c8d73e87b3317a42ee2922f9929402b64e84fabd47456d41712bc125d026f4d3c320bd1d7c2b6bdb7472a8ab1873401e4aa69a138f68ff691f0ee2
-
SSDEEP
24576:ayCBv0F7hk4Exa9g6E0WS3xZcugLCX/vFrvY5K69cehh5QcTvEQpPr/8yJpUK8E:hmEExaMOBZaChYg6WexQcTvEQpPr/qK8
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001aff9-26.dat healer behavioral1/files/0x000700000001aff9-27.dat healer behavioral1/memory/4264-28-0x0000000000470000-0x000000000047A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1vJ48qZ3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1vJ48qZ3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1vJ48qZ3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1vJ48qZ3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1vJ48qZ3.exe -
Executes dropped EXE 5 IoCs
pid Process 2116 Fb4cT90.exe 2632 rA7Ev50.exe 4372 sf6Uq60.exe 4264 1vJ48qZ3.exe 4856 2yu1664.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1vJ48qZ3.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Fb4cT90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" rA7Ev50.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sf6Uq60.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4856 set thread context of 204 4856 2yu1664.exe 77 -
Program crash 2 IoCs
pid pid_target Process procid_target 3968 4856 WerFault.exe 74 324 204 WerFault.exe 77 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4264 1vJ48qZ3.exe 4264 1vJ48qZ3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4264 1vJ48qZ3.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2116 2768 dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe 70 PID 2768 wrote to memory of 2116 2768 dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe 70 PID 2768 wrote to memory of 2116 2768 dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe 70 PID 2116 wrote to memory of 2632 2116 Fb4cT90.exe 71 PID 2116 wrote to memory of 2632 2116 Fb4cT90.exe 71 PID 2116 wrote to memory of 2632 2116 Fb4cT90.exe 71 PID 2632 wrote to memory of 4372 2632 rA7Ev50.exe 72 PID 2632 wrote to memory of 4372 2632 rA7Ev50.exe 72 PID 2632 wrote to memory of 4372 2632 rA7Ev50.exe 72 PID 4372 wrote to memory of 4264 4372 sf6Uq60.exe 73 PID 4372 wrote to memory of 4264 4372 sf6Uq60.exe 73 PID 4372 wrote to memory of 4856 4372 sf6Uq60.exe 74 PID 4372 wrote to memory of 4856 4372 sf6Uq60.exe 74 PID 4372 wrote to memory of 4856 4372 sf6Uq60.exe 74 PID 4856 wrote to memory of 2052 4856 2yu1664.exe 76 PID 4856 wrote to memory of 2052 4856 2yu1664.exe 76 PID 4856 wrote to memory of 2052 4856 2yu1664.exe 76 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77 PID 4856 wrote to memory of 204 4856 2yu1664.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe"C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 5687⤵
- Program crash
PID:324
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 5766⤵
- Program crash
PID:3968
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53f9bf33de9dbc3b4ff325ed2ca484383
SHA17d35c87fc1fc54778cd9d848ce4e7093b210eb25
SHA256151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214
SHA512612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0
-
Filesize
1.3MB
MD53f9bf33de9dbc3b4ff325ed2ca484383
SHA17d35c87fc1fc54778cd9d848ce4e7093b210eb25
SHA256151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214
SHA512612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0
-
Filesize
870KB
MD5b8419002a71cb074d22c204494c444f0
SHA1218c717272b12775faf896a653f7c220a6cec37c
SHA25675023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b
SHA512675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55
-
Filesize
870KB
MD5b8419002a71cb074d22c204494c444f0
SHA1218c717272b12775faf896a653f7c220a6cec37c
SHA25675023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b
SHA512675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55
-
Filesize
482KB
MD5d26ea2df963e785b102079b28c352b59
SHA14ae543c6a6370e1af8789671b9e269a2216a4d44
SHA256653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba
SHA512f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39
-
Filesize
482KB
MD5d26ea2df963e785b102079b28c352b59
SHA14ae543c6a6370e1af8789671b9e269a2216a4d44
SHA256653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba
SHA512f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39
-
Filesize
12KB
MD535a0e47267276a8e8882396e4f192a37
SHA1a6353f0584ca37d0f783e1a077b524ec54da2a2c
SHA256e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96
SHA512e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03
-
Filesize
12KB
MD535a0e47267276a8e8882396e4f192a37
SHA1a6353f0584ca37d0f783e1a077b524ec54da2a2c
SHA256e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96
SHA512e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03
-
Filesize
1.4MB
MD54f0618a9c475f2cc448658d569feecf6
SHA1894882be7b89ef0fc6c80f1b6d2af88f70a633ab
SHA256b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382
SHA5120a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1
-
Filesize
1.4MB
MD54f0618a9c475f2cc448658d569feecf6
SHA1894882be7b89ef0fc6c80f1b6d2af88f70a633ab
SHA256b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382
SHA5120a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1