Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2023, 11:44

General

  • Target

    dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe

  • Size

    1.4MB

  • MD5

    8e4050f33a24b4bd69e0923b4cc6ea79

  • SHA1

    d2864d727178bca0842b88a22d7a468ad9fcbfd7

  • SHA256

    dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb

  • SHA512

    e1eea8b977c8d73e87b3317a42ee2922f9929402b64e84fabd47456d41712bc125d026f4d3c320bd1d7c2b6bdb7472a8ab1873401e4aa69a138f68ff691f0ee2

  • SSDEEP

    24576:ayCBv0F7hk4Exa9g6E0WS3xZcugLCX/vFrvY5K69cehh5QcTvEQpPr/8yJpUK8E:hmEExaMOBZaChYg6WexQcTvEQpPr/qK8

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe
    "C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4372
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4264
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:2052
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:204
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 568
                    7⤵
                    • Program crash
                    PID:324
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 576
                  6⤵
                  • Program crash
                  PID:3968

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe

              Filesize

              1.3MB

              MD5

              3f9bf33de9dbc3b4ff325ed2ca484383

              SHA1

              7d35c87fc1fc54778cd9d848ce4e7093b210eb25

              SHA256

              151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214

              SHA512

              612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe

              Filesize

              1.3MB

              MD5

              3f9bf33de9dbc3b4ff325ed2ca484383

              SHA1

              7d35c87fc1fc54778cd9d848ce4e7093b210eb25

              SHA256

              151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214

              SHA512

              612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe

              Filesize

              870KB

              MD5

              b8419002a71cb074d22c204494c444f0

              SHA1

              218c717272b12775faf896a653f7c220a6cec37c

              SHA256

              75023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b

              SHA512

              675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe

              Filesize

              870KB

              MD5

              b8419002a71cb074d22c204494c444f0

              SHA1

              218c717272b12775faf896a653f7c220a6cec37c

              SHA256

              75023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b

              SHA512

              675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe

              Filesize

              482KB

              MD5

              d26ea2df963e785b102079b28c352b59

              SHA1

              4ae543c6a6370e1af8789671b9e269a2216a4d44

              SHA256

              653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba

              SHA512

              f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe

              Filesize

              482KB

              MD5

              d26ea2df963e785b102079b28c352b59

              SHA1

              4ae543c6a6370e1af8789671b9e269a2216a4d44

              SHA256

              653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba

              SHA512

              f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe

              Filesize

              12KB

              MD5

              35a0e47267276a8e8882396e4f192a37

              SHA1

              a6353f0584ca37d0f783e1a077b524ec54da2a2c

              SHA256

              e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96

              SHA512

              e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe

              Filesize

              12KB

              MD5

              35a0e47267276a8e8882396e4f192a37

              SHA1

              a6353f0584ca37d0f783e1a077b524ec54da2a2c

              SHA256

              e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96

              SHA512

              e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe

              Filesize

              1.4MB

              MD5

              4f0618a9c475f2cc448658d569feecf6

              SHA1

              894882be7b89ef0fc6c80f1b6d2af88f70a633ab

              SHA256

              b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382

              SHA512

              0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe

              Filesize

              1.4MB

              MD5

              4f0618a9c475f2cc448658d569feecf6

              SHA1

              894882be7b89ef0fc6c80f1b6d2af88f70a633ab

              SHA256

              b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382

              SHA512

              0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1

            • memory/204-35-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/204-38-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/204-39-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/204-41-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/4264-31-0x00007FFDD9510000-0x00007FFDD9EFC000-memory.dmp

              Filesize

              9.9MB

            • memory/4264-29-0x00007FFDD9510000-0x00007FFDD9EFC000-memory.dmp

              Filesize

              9.9MB

            • memory/4264-28-0x0000000000470000-0x000000000047A000-memory.dmp

              Filesize

              40KB