Analysis

  • max time kernel
    162s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 13:26

General

  • Target

    253cf2e468f003abca34a109687df714ce512f78ee244111d890064876f1eb3b.exe

  • Size

    1.1MB

  • MD5

    c859a24f59a7655deeedc8c94545cd80

  • SHA1

    b4b35591db4285ef349810e1517cadea95e944cf

  • SHA256

    253cf2e468f003abca34a109687df714ce512f78ee244111d890064876f1eb3b

  • SHA512

    b3f9ddea6ef11e3f89460b047c3d017c8d098839f037e9f9a89c3c9d12dfc03e778619aaa4d21cfaf6c872526e04b6f15da13dc78d06b891d80033b0c53ff9a6

  • SSDEEP

    24576:KyYXRr82GfoFjk7ZqUGdqH+CcfW0AMRb5SseqoDt:Rsp82GfMdw0AMD8q

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253cf2e468f003abca34a109687df714ce512f78ee244111d890064876f1eb3b.exe
    "C:\Users\Admin\AppData\Local\Temp\253cf2e468f003abca34a109687df714ce512f78ee244111d890064876f1eb3b.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6451733.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6451733.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3485687.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3485687.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9999292.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9999292.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3242654.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3242654.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2516
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3000
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2484
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 272
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6451733.exe

    Filesize

    998KB

    MD5

    cbda39ed4b320cb8ae3119fad8dc2867

    SHA1

    4f0159172a3c5ed234e195866f97ea94c8948299

    SHA256

    b4722354cee9b8a19d072bcbaa25ff7c5105027d839e2dc900d4b77827a3a9ce

    SHA512

    27cca654ff55b124098c8cc2fea37fdc1050370d8aa8a542b92424145c62ac573b9d87add309e6b5879212bcedacd5cf4ef6f727450c7808b26fcf0412d66d85

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6451733.exe

    Filesize

    998KB

    MD5

    cbda39ed4b320cb8ae3119fad8dc2867

    SHA1

    4f0159172a3c5ed234e195866f97ea94c8948299

    SHA256

    b4722354cee9b8a19d072bcbaa25ff7c5105027d839e2dc900d4b77827a3a9ce

    SHA512

    27cca654ff55b124098c8cc2fea37fdc1050370d8aa8a542b92424145c62ac573b9d87add309e6b5879212bcedacd5cf4ef6f727450c7808b26fcf0412d66d85

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3485687.exe

    Filesize

    815KB

    MD5

    f236b09860bc62082e65d4d39f827e34

    SHA1

    d31b043e24f4e68a4923731acd4ab2f2b6c837d0

    SHA256

    8c690ab2361c27c77bd013c55455d762fa596cdc044fb574c18440c392afc495

    SHA512

    e2cc317be5e9e98edb5e3164939c5275078785869dfc8a1cc24dd7195474f818269016997f7cb8674e7e18745b8ea8b549031da4a6435a35c89acc73141e1c93

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3485687.exe

    Filesize

    815KB

    MD5

    f236b09860bc62082e65d4d39f827e34

    SHA1

    d31b043e24f4e68a4923731acd4ab2f2b6c837d0

    SHA256

    8c690ab2361c27c77bd013c55455d762fa596cdc044fb574c18440c392afc495

    SHA512

    e2cc317be5e9e98edb5e3164939c5275078785869dfc8a1cc24dd7195474f818269016997f7cb8674e7e18745b8ea8b549031da4a6435a35c89acc73141e1c93

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9999292.exe

    Filesize

    631KB

    MD5

    b929585d1c56258d72649de08015a084

    SHA1

    40b5ef56cd5123fe064b54fa56b004d102b85461

    SHA256

    0561bb1958d2f9f21076981950fe8041d5ea30d5c1d8b5d9c02bb5a918812bc5

    SHA512

    01d8a05ea31d7ff0f3bfb0c14373e9b57d0712432269c4b9439ea7210525454b97d982fb24bea0d0488cb384f420b4040e6afeff1021d39968b44c923ec41859

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9999292.exe

    Filesize

    631KB

    MD5

    b929585d1c56258d72649de08015a084

    SHA1

    40b5ef56cd5123fe064b54fa56b004d102b85461

    SHA256

    0561bb1958d2f9f21076981950fe8041d5ea30d5c1d8b5d9c02bb5a918812bc5

    SHA512

    01d8a05ea31d7ff0f3bfb0c14373e9b57d0712432269c4b9439ea7210525454b97d982fb24bea0d0488cb384f420b4040e6afeff1021d39968b44c923ec41859

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3242654.exe

    Filesize

    354KB

    MD5

    c57a81d84223d6449f4ffac518d2a4ed

    SHA1

    483d3973e9abea8dc14b466ddb5cae177d95d62c

    SHA256

    fb83886d9e784691bb8acccdc76c3fc64ff949c8d6697acde14a78015589846f

    SHA512

    3c874338d2ca5a9b3f10ea11719c6a20906b1e5fc2859760edfeb1e537be17a7f88357cad75a66a150b6e402680175b56ec819ec50a3c95b2f797eb813286a10

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3242654.exe

    Filesize

    354KB

    MD5

    c57a81d84223d6449f4ffac518d2a4ed

    SHA1

    483d3973e9abea8dc14b466ddb5cae177d95d62c

    SHA256

    fb83886d9e784691bb8acccdc76c3fc64ff949c8d6697acde14a78015589846f

    SHA512

    3c874338d2ca5a9b3f10ea11719c6a20906b1e5fc2859760edfeb1e537be17a7f88357cad75a66a150b6e402680175b56ec819ec50a3c95b2f797eb813286a10

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\z6451733.exe

    Filesize

    998KB

    MD5

    cbda39ed4b320cb8ae3119fad8dc2867

    SHA1

    4f0159172a3c5ed234e195866f97ea94c8948299

    SHA256

    b4722354cee9b8a19d072bcbaa25ff7c5105027d839e2dc900d4b77827a3a9ce

    SHA512

    27cca654ff55b124098c8cc2fea37fdc1050370d8aa8a542b92424145c62ac573b9d87add309e6b5879212bcedacd5cf4ef6f727450c7808b26fcf0412d66d85

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\z6451733.exe

    Filesize

    998KB

    MD5

    cbda39ed4b320cb8ae3119fad8dc2867

    SHA1

    4f0159172a3c5ed234e195866f97ea94c8948299

    SHA256

    b4722354cee9b8a19d072bcbaa25ff7c5105027d839e2dc900d4b77827a3a9ce

    SHA512

    27cca654ff55b124098c8cc2fea37fdc1050370d8aa8a542b92424145c62ac573b9d87add309e6b5879212bcedacd5cf4ef6f727450c7808b26fcf0412d66d85

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\z3485687.exe

    Filesize

    815KB

    MD5

    f236b09860bc62082e65d4d39f827e34

    SHA1

    d31b043e24f4e68a4923731acd4ab2f2b6c837d0

    SHA256

    8c690ab2361c27c77bd013c55455d762fa596cdc044fb574c18440c392afc495

    SHA512

    e2cc317be5e9e98edb5e3164939c5275078785869dfc8a1cc24dd7195474f818269016997f7cb8674e7e18745b8ea8b549031da4a6435a35c89acc73141e1c93

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\z3485687.exe

    Filesize

    815KB

    MD5

    f236b09860bc62082e65d4d39f827e34

    SHA1

    d31b043e24f4e68a4923731acd4ab2f2b6c837d0

    SHA256

    8c690ab2361c27c77bd013c55455d762fa596cdc044fb574c18440c392afc495

    SHA512

    e2cc317be5e9e98edb5e3164939c5275078785869dfc8a1cc24dd7195474f818269016997f7cb8674e7e18745b8ea8b549031da4a6435a35c89acc73141e1c93

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\z9999292.exe

    Filesize

    631KB

    MD5

    b929585d1c56258d72649de08015a084

    SHA1

    40b5ef56cd5123fe064b54fa56b004d102b85461

    SHA256

    0561bb1958d2f9f21076981950fe8041d5ea30d5c1d8b5d9c02bb5a918812bc5

    SHA512

    01d8a05ea31d7ff0f3bfb0c14373e9b57d0712432269c4b9439ea7210525454b97d982fb24bea0d0488cb384f420b4040e6afeff1021d39968b44c923ec41859

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\z9999292.exe

    Filesize

    631KB

    MD5

    b929585d1c56258d72649de08015a084

    SHA1

    40b5ef56cd5123fe064b54fa56b004d102b85461

    SHA256

    0561bb1958d2f9f21076981950fe8041d5ea30d5c1d8b5d9c02bb5a918812bc5

    SHA512

    01d8a05ea31d7ff0f3bfb0c14373e9b57d0712432269c4b9439ea7210525454b97d982fb24bea0d0488cb384f420b4040e6afeff1021d39968b44c923ec41859

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\z3242654.exe

    Filesize

    354KB

    MD5

    c57a81d84223d6449f4ffac518d2a4ed

    SHA1

    483d3973e9abea8dc14b466ddb5cae177d95d62c

    SHA256

    fb83886d9e784691bb8acccdc76c3fc64ff949c8d6697acde14a78015589846f

    SHA512

    3c874338d2ca5a9b3f10ea11719c6a20906b1e5fc2859760edfeb1e537be17a7f88357cad75a66a150b6e402680175b56ec819ec50a3c95b2f797eb813286a10

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\z3242654.exe

    Filesize

    354KB

    MD5

    c57a81d84223d6449f4ffac518d2a4ed

    SHA1

    483d3973e9abea8dc14b466ddb5cae177d95d62c

    SHA256

    fb83886d9e784691bb8acccdc76c3fc64ff949c8d6697acde14a78015589846f

    SHA512

    3c874338d2ca5a9b3f10ea11719c6a20906b1e5fc2859760edfeb1e537be17a7f88357cad75a66a150b6e402680175b56ec819ec50a3c95b2f797eb813286a10

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\q3069280.exe

    Filesize

    250KB

    MD5

    7bfa8d4684d4c82291b5b8c534407bbd

    SHA1

    354bf019bdd4a97589b871069a958237bcdfde3f

    SHA256

    9368df0b937003f8a8f65aa7a7896ec093d83f260201f3a82eeb086fbc23e872

    SHA512

    4772faf71736e72781db568b0b613fd3b34d0069bb48884c246644ef6a63fb92b266e3b7b910070a7f7a1559a9dd679986884c1a29512bf9b49ed4651ff70f70

  • memory/2484-57-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2484-55-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2484-64-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2484-66-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2484-62-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2484-59-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2484-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2484-53-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB