Analysis
-
max time kernel
109s -
max time network
114s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe
Resource
win10-20230915-en
General
-
Target
eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe
-
Size
1.4MB
-
MD5
5fc6f14a0c96d0e6bf020b56efc11b6c
-
SHA1
9dfccfc026b64b4ca2ea070f10af3ade4e086e54
-
SHA256
eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50
-
SHA512
a3fe6935548d75068e8ad5cd2923f8530b898fc80a0e0bc1e3cf6bbffd5f78a079ca4e14b53bda8b7ed24071bc3f98453247d1ae5dfb1f11ce896a0520b8b607
-
SSDEEP
24576:ayQ+5YHg4dcLKyDer56lvY95rOJyEr9BAiThhqWtc3OKXZC4G+IG:hQqCd6KGtJY95jErVbzc+KpbGt
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001af62-33.dat healer behavioral1/files/0x000700000001af62-34.dat healer behavioral1/memory/4248-35-0x0000000000910000-0x000000000091A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q3297704.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q3297704.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q3297704.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q3297704.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q3297704.exe -
Executes dropped EXE 6 IoCs
pid Process 4820 z6942079.exe 424 z7413504.exe 4676 z4684420.exe 1020 z1668808.exe 4248 q3297704.exe 2864 r3699752.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q3297704.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z6942079.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z7413504.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z4684420.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z1668808.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2864 set thread context of 2140 2864 r3699752.exe 77 -
Program crash 2 IoCs
pid pid_target Process procid_target 4148 2864 WerFault.exe 75 5004 2140 WerFault.exe 77 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4248 q3297704.exe 4248 q3297704.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4248 q3297704.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 428 wrote to memory of 4820 428 eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe 70 PID 428 wrote to memory of 4820 428 eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe 70 PID 428 wrote to memory of 4820 428 eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe 70 PID 4820 wrote to memory of 424 4820 z6942079.exe 71 PID 4820 wrote to memory of 424 4820 z6942079.exe 71 PID 4820 wrote to memory of 424 4820 z6942079.exe 71 PID 424 wrote to memory of 4676 424 z7413504.exe 72 PID 424 wrote to memory of 4676 424 z7413504.exe 72 PID 424 wrote to memory of 4676 424 z7413504.exe 72 PID 4676 wrote to memory of 1020 4676 z4684420.exe 73 PID 4676 wrote to memory of 1020 4676 z4684420.exe 73 PID 4676 wrote to memory of 1020 4676 z4684420.exe 73 PID 1020 wrote to memory of 4248 1020 z1668808.exe 74 PID 1020 wrote to memory of 4248 1020 z1668808.exe 74 PID 1020 wrote to memory of 2864 1020 z1668808.exe 75 PID 1020 wrote to memory of 2864 1020 z1668808.exe 75 PID 1020 wrote to memory of 2864 1020 z1668808.exe 75 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77 PID 2864 wrote to memory of 2140 2864 r3699752.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe"C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 5688⤵
- Program crash
PID:5004
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 2287⤵
- Program crash
PID:4148
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5d66b832192781ce40419d8c81776c7d4
SHA1b98d4bb5f246f977ffd0e3b31aea9ba5a34cd6c9
SHA256b7badaecc56b93691eaeb1a5145ecf4787665b2e4c054879545e37d5b64110f0
SHA5124eef2cbcb6ef268bc035dd8bd68f0abcc1bbff0124c16062f3561133f4ff81faef88e4d7844d97a54eb73570cc9524fb54c48aa04ec0a09f9d529e65ac84be16
-
Filesize
1.3MB
MD5d66b832192781ce40419d8c81776c7d4
SHA1b98d4bb5f246f977ffd0e3b31aea9ba5a34cd6c9
SHA256b7badaecc56b93691eaeb1a5145ecf4787665b2e4c054879545e37d5b64110f0
SHA5124eef2cbcb6ef268bc035dd8bd68f0abcc1bbff0124c16062f3561133f4ff81faef88e4d7844d97a54eb73570cc9524fb54c48aa04ec0a09f9d529e65ac84be16
-
Filesize
1.1MB
MD52fe0809a0c81cd3caddec2b6f4518451
SHA16940b33b93919006f03ef1643d7096d7d43cb7fd
SHA256209887ceef54bfde8f586fd9578685d8bdb2c3a3b5f1380b8568275e2e316120
SHA512f4af8a5070c04ba0cad69ec137626f87f139d79895899b032f5446bd1c87e600a2a8bd5e6b43bdff882e84154c1a47b5b9bbf84b0ec4b37373021c4dbf1f986f
-
Filesize
1.1MB
MD52fe0809a0c81cd3caddec2b6f4518451
SHA16940b33b93919006f03ef1643d7096d7d43cb7fd
SHA256209887ceef54bfde8f586fd9578685d8bdb2c3a3b5f1380b8568275e2e316120
SHA512f4af8a5070c04ba0cad69ec137626f87f139d79895899b032f5446bd1c87e600a2a8bd5e6b43bdff882e84154c1a47b5b9bbf84b0ec4b37373021c4dbf1f986f
-
Filesize
926KB
MD50f75abf26b1333caefb9a498807c2c5d
SHA1d3bfd3aaefaf9f4cb8498c73e061aad7b2170cd7
SHA25690a74c36b2f08c4feb45de6a6c0c01bcca52db10fda21f1865b16da4506eb6d9
SHA5126d4c699e78eee93cae8961b1aa10b9e5815a66d0c54a476b28e43ac18ce72dc91a03fa8073485c3d1db4e2a8bb70eb8034dcca001f6c41072609760524e5db99
-
Filesize
926KB
MD50f75abf26b1333caefb9a498807c2c5d
SHA1d3bfd3aaefaf9f4cb8498c73e061aad7b2170cd7
SHA25690a74c36b2f08c4feb45de6a6c0c01bcca52db10fda21f1865b16da4506eb6d9
SHA5126d4c699e78eee93cae8961b1aa10b9e5815a66d0c54a476b28e43ac18ce72dc91a03fa8073485c3d1db4e2a8bb70eb8034dcca001f6c41072609760524e5db99
-
Filesize
489KB
MD55fc4dda571d464feafeb4a89d859fe2a
SHA17e182022fbe548c4d689f688b776a41c7650a4ae
SHA2564a70805a990cfb9657707fc470fa30e41c7ae1ef3cf0a271fec0ced1dc86ed82
SHA512d00e61ae188010c0563176f2b548c08c5068137442552a7daa52858b016a62373c115468afe3af04a5799d67537fa179014975d6cb1714b466e77aeaee35b7ed
-
Filesize
489KB
MD55fc4dda571d464feafeb4a89d859fe2a
SHA17e182022fbe548c4d689f688b776a41c7650a4ae
SHA2564a70805a990cfb9657707fc470fa30e41c7ae1ef3cf0a271fec0ced1dc86ed82
SHA512d00e61ae188010c0563176f2b548c08c5068137442552a7daa52858b016a62373c115468afe3af04a5799d67537fa179014975d6cb1714b466e77aeaee35b7ed
-
Filesize
21KB
MD51a4621d9e38e35f1601e6c204f083330
SHA13c883ba331adb236ac156d4c187e1ba8a7801d4a
SHA256640e7cc5738c39f28e7e8d63a23747dd32d2603e073eba9814cbf4b17ddcbdb8
SHA512e046f78b2aa0ec1332e68ef6070f18cd7350fb2d4750b7be26a755dc29c744e3ee6c9492e557515f79e883dc3258359ec7c38b41d00252154f0f1150fdf9f816
-
Filesize
21KB
MD51a4621d9e38e35f1601e6c204f083330
SHA13c883ba331adb236ac156d4c187e1ba8a7801d4a
SHA256640e7cc5738c39f28e7e8d63a23747dd32d2603e073eba9814cbf4b17ddcbdb8
SHA512e046f78b2aa0ec1332e68ef6070f18cd7350fb2d4750b7be26a755dc29c744e3ee6c9492e557515f79e883dc3258359ec7c38b41d00252154f0f1150fdf9f816
-
Filesize
1.4MB
MD570665ec4c94a8e7d0822f4953151dae7
SHA1503a41f1e58457745817dd77bf063448bb6921ef
SHA256163b07e1850c146f6e5a129e102affdeddeff53593e2a637c5a874960dfdfc04
SHA5126268bfaad7bf4df800ad7102b834b94964d1817e10ad963c7f0386448923f8be5409ae388a3c5c440f18ff3ff5f70240d8fac88f186e53295876a81b0a31d8e3
-
Filesize
1.4MB
MD570665ec4c94a8e7d0822f4953151dae7
SHA1503a41f1e58457745817dd77bf063448bb6921ef
SHA256163b07e1850c146f6e5a129e102affdeddeff53593e2a637c5a874960dfdfc04
SHA5126268bfaad7bf4df800ad7102b834b94964d1817e10ad963c7f0386448923f8be5409ae388a3c5c440f18ff3ff5f70240d8fac88f186e53295876a81b0a31d8e3