Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2023, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe
Resource
win10-20230831-en
General
-
Target
dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe
-
Size
1.4MB
-
MD5
54c65e90d811108be950f37a489ea6fe
-
SHA1
5e040f2eaa3e149e9e0e48ea83a96d1757b33fd2
-
SHA256
dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933
-
SHA512
f5cdb7828b7efd20474fd459974d8760b4063b2b07258f07dd34a011672f0864a504165c07e5fbf5e377138335530bc79f04c23fae830978661e1854a6fb5ebd
-
SSDEEP
24576:eypkM321g5jPOFwQ4Ts+NMztQMV05hKWGcN1aAID8yuRpPdq5JQPk/9w3Zqw+6Cy:tpki24GFwQcsdQU0TK5cN4nDQRpPdEM7
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afb0-26.dat healer behavioral1/files/0x000700000001afb0-27.dat healer behavioral1/memory/372-28-0x0000000000010000-0x000000000001A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1hi22Qx2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1hi22Qx2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1hi22Qx2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1hi22Qx2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1hi22Qx2.exe -
Executes dropped EXE 5 IoCs
pid Process 2792 qZ0oP60.exe 3672 Yj1Cc63.exe 432 zZ4Lp23.exe 372 1hi22Qx2.exe 2320 2vK2667.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1hi22Qx2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" qZ0oP60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Yj1Cc63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zZ4Lp23.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2320 set thread context of 4212 2320 2vK2667.exe 77 -
Program crash 2 IoCs
pid pid_target Process procid_target 4272 2320 WerFault.exe 74 716 4212 WerFault.exe 77 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 372 1hi22Qx2.exe 372 1hi22Qx2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 372 1hi22Qx2.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3708 wrote to memory of 2792 3708 dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe 70 PID 3708 wrote to memory of 2792 3708 dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe 70 PID 3708 wrote to memory of 2792 3708 dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe 70 PID 2792 wrote to memory of 3672 2792 qZ0oP60.exe 71 PID 2792 wrote to memory of 3672 2792 qZ0oP60.exe 71 PID 2792 wrote to memory of 3672 2792 qZ0oP60.exe 71 PID 3672 wrote to memory of 432 3672 Yj1Cc63.exe 72 PID 3672 wrote to memory of 432 3672 Yj1Cc63.exe 72 PID 3672 wrote to memory of 432 3672 Yj1Cc63.exe 72 PID 432 wrote to memory of 372 432 zZ4Lp23.exe 73 PID 432 wrote to memory of 372 432 zZ4Lp23.exe 73 PID 432 wrote to memory of 2320 432 zZ4Lp23.exe 74 PID 432 wrote to memory of 2320 432 zZ4Lp23.exe 74 PID 432 wrote to memory of 2320 432 zZ4Lp23.exe 74 PID 2320 wrote to memory of 4416 2320 2vK2667.exe 76 PID 2320 wrote to memory of 4416 2320 2vK2667.exe 76 PID 2320 wrote to memory of 4416 2320 2vK2667.exe 76 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77 PID 2320 wrote to memory of 4212 2320 2vK2667.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe"C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 5687⤵
- Program crash
PID:716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 5926⤵
- Program crash
PID:4272
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5468473d6f1a2d1fbb8c07b307215108f
SHA1520bb733551505f6020578a7584e74505f01cb49
SHA256fff34c3f782bf2415ef118ce318ad4fc805c995b15eace0a7463341d5195ca58
SHA512175b868fe33fc9600b5ba939c2e83ade7cc6eba038f473ce57875428a965090581797b1ac3eeac1a98db77b5d948904d49318bf8c2aabf2ef1d4c0c930379473
-
Filesize
1.3MB
MD5468473d6f1a2d1fbb8c07b307215108f
SHA1520bb733551505f6020578a7584e74505f01cb49
SHA256fff34c3f782bf2415ef118ce318ad4fc805c995b15eace0a7463341d5195ca58
SHA512175b868fe33fc9600b5ba939c2e83ade7cc6eba038f473ce57875428a965090581797b1ac3eeac1a98db77b5d948904d49318bf8c2aabf2ef1d4c0c930379473
-
Filesize
875KB
MD543163cc4a6a39df696c8d1c207c54ee5
SHA149d58dcda045fd084f02bfb257ef26671e0c049a
SHA256baaea239b204bbbc3ad578082ec43226bb577f85f924bf3a68c1d6d452ff1e7f
SHA5129c8d1318d7342a5303e70458cf131dc02740ba415759420f4516dca7b2906518cf4555d4d87ff278fb5e54d6ed2404ed29f81ced8e3b3da7535c16260d13762b
-
Filesize
875KB
MD543163cc4a6a39df696c8d1c207c54ee5
SHA149d58dcda045fd084f02bfb257ef26671e0c049a
SHA256baaea239b204bbbc3ad578082ec43226bb577f85f924bf3a68c1d6d452ff1e7f
SHA5129c8d1318d7342a5303e70458cf131dc02740ba415759420f4516dca7b2906518cf4555d4d87ff278fb5e54d6ed2404ed29f81ced8e3b3da7535c16260d13762b
-
Filesize
489KB
MD564bca51ecff153f709b0cc24dd7c4b93
SHA12aa7c15f7026208977f7fb29eedc0d5545a0ff5c
SHA25619ea671822598b6a024be776a8478072818957e2ce7a3b5d3de15b4096b5d30f
SHA5124c12360966db4e8ecf51461df2d21022e51875f558e64944bbe64d0cdca5722a0e25fa36d02ea8b6fecdb9f60d99197eff98bcfb8bf05b85dff2389c6eb6c3a9
-
Filesize
489KB
MD564bca51ecff153f709b0cc24dd7c4b93
SHA12aa7c15f7026208977f7fb29eedc0d5545a0ff5c
SHA25619ea671822598b6a024be776a8478072818957e2ce7a3b5d3de15b4096b5d30f
SHA5124c12360966db4e8ecf51461df2d21022e51875f558e64944bbe64d0cdca5722a0e25fa36d02ea8b6fecdb9f60d99197eff98bcfb8bf05b85dff2389c6eb6c3a9
-
Filesize
21KB
MD5e2c620e42d157ad9c02ec84dbae97201
SHA1e30c848655af00953fdb31a4eafc3cfdcaaea064
SHA256056b2870ff956c76d100ccf4a6d7ea1c9b7aed9ca7e993ec52b6e8f1f6eb03b7
SHA512dd3be5c7320ec692f111b91622908a3cea601baf036684fe3251cddb9f9f7ed2977d6baef781beb4ff2570671ca1ce8b0031bc5a2f95a52858bdf19cc0383521
-
Filesize
21KB
MD5e2c620e42d157ad9c02ec84dbae97201
SHA1e30c848655af00953fdb31a4eafc3cfdcaaea064
SHA256056b2870ff956c76d100ccf4a6d7ea1c9b7aed9ca7e993ec52b6e8f1f6eb03b7
SHA512dd3be5c7320ec692f111b91622908a3cea601baf036684fe3251cddb9f9f7ed2977d6baef781beb4ff2570671ca1ce8b0031bc5a2f95a52858bdf19cc0383521
-
Filesize
1.4MB
MD5dc3ed8d7ff3799e6d004415d44ab9355
SHA1650eed74c34700f96cdd1181023809c4020e9687
SHA256d076ba245e680b4423222ebbbc65424c6f0119f5b428e89cd61030282683c276
SHA5120dcefad4327b6eb04bba4e1ac6b29d4244463b7c1a1e104ef9f1a5f77e8ed18354787912c970e6dc02b7bdec3d9f7584bff5609066906312c2a540921032666e
-
Filesize
1.4MB
MD5dc3ed8d7ff3799e6d004415d44ab9355
SHA1650eed74c34700f96cdd1181023809c4020e9687
SHA256d076ba245e680b4423222ebbbc65424c6f0119f5b428e89cd61030282683c276
SHA5120dcefad4327b6eb04bba4e1ac6b29d4244463b7c1a1e104ef9f1a5f77e8ed18354787912c970e6dc02b7bdec3d9f7584bff5609066906312c2a540921032666e