Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 20:18

General

  • Target

    8daaf9b436e710aa5de5bb9f8dd344c137ea24b7d8ca1e4e62774af63529618e.exe

  • Size

    1.3MB

  • MD5

    ca0191c93a902037bc3b04de455f482b

  • SHA1

    3975f57942eff951b2f7d6ef93c44ffb03a13f74

  • SHA256

    8daaf9b436e710aa5de5bb9f8dd344c137ea24b7d8ca1e4e62774af63529618e

  • SHA512

    71bd87a391ccd72728bfd4abae171393f083641e88bff5301d5c77ec1afaa4094356d88ad537bbdfc2dc05ff58306a2130dfdc5afa5b7a40c9b8433ea3efde2c

  • SSDEEP

    24576:Aylf7zHoP28csXxIX7GX0mfFxkerVVJJUzlhlyi18:HlDMWQxCHIxdVJJUzz

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 17 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8daaf9b436e710aa5de5bb9f8dd344c137ea24b7d8ca1e4e62774af63529618e.exe
    "C:\Users\Admin\AppData\Local\Temp\8daaf9b436e710aa5de5bb9f8dd344c137ea24b7d8ca1e4e62774af63529618e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0901379.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0901379.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9663959.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9663959.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3916634.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3916634.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0530508.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0530508.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4245253.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4245253.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:2760
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2484
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                    PID:1776
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    8⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2512
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 280
                    8⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2612

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0901379.exe

            Filesize

            1.2MB

            MD5

            fee121abddd1c71bbe004d6058b5e60f

            SHA1

            e0ba7d311f46a5af489b90e016c5f2732a17fb91

            SHA256

            31696040d8567dc7b943be6858b39bebe40c352d31f55f0dca91f94c5d75d112

            SHA512

            a6ad791e68e4128cb8c42e533d4c703d3f9731b35b232af39b1708c526abf07147c21b9e109179b339bab9d340237dfbdfd658345d0d4849076b7179754f9788

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0901379.exe

            Filesize

            1.2MB

            MD5

            fee121abddd1c71bbe004d6058b5e60f

            SHA1

            e0ba7d311f46a5af489b90e016c5f2732a17fb91

            SHA256

            31696040d8567dc7b943be6858b39bebe40c352d31f55f0dca91f94c5d75d112

            SHA512

            a6ad791e68e4128cb8c42e533d4c703d3f9731b35b232af39b1708c526abf07147c21b9e109179b339bab9d340237dfbdfd658345d0d4849076b7179754f9788

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9663959.exe

            Filesize

            946KB

            MD5

            a350293abef11cd92872d9b3f10b486f

            SHA1

            abe1041b69423f1a7eadfe123adca79382df68ec

            SHA256

            3bde1926ac89afd936886df23b76b9ba83a7f4af2880b406d93a68b465d628cc

            SHA512

            8dc313c7ae51cc9ebc4dcaa6889e193c114b3f1c2f054ea849f841dbd1e732c1aaf58eac86f0478d3724685cf8be7623c2fb2ebec8c471bdc2951cb4d2942f31

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9663959.exe

            Filesize

            946KB

            MD5

            a350293abef11cd92872d9b3f10b486f

            SHA1

            abe1041b69423f1a7eadfe123adca79382df68ec

            SHA256

            3bde1926ac89afd936886df23b76b9ba83a7f4af2880b406d93a68b465d628cc

            SHA512

            8dc313c7ae51cc9ebc4dcaa6889e193c114b3f1c2f054ea849f841dbd1e732c1aaf58eac86f0478d3724685cf8be7623c2fb2ebec8c471bdc2951cb4d2942f31

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3916634.exe

            Filesize

            790KB

            MD5

            75079a47b5cbd44e102e29e2b444d9fd

            SHA1

            c4e285ff90d828aca3a19b9b2bd22583a34e0ed6

            SHA256

            a299d20c98991a692d1f176cccd235c28e5d0a5a180b6ea47c0a13fac9f5de2f

            SHA512

            481ac17972951b16c1c30796f267a222dda7d249b2cd79b2772f907e8cd70337ec303220c409e9bbcfd81f62c6b922b2fc58da82f56c24cb502390fcd89570cf

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3916634.exe

            Filesize

            790KB

            MD5

            75079a47b5cbd44e102e29e2b444d9fd

            SHA1

            c4e285ff90d828aca3a19b9b2bd22583a34e0ed6

            SHA256

            a299d20c98991a692d1f176cccd235c28e5d0a5a180b6ea47c0a13fac9f5de2f

            SHA512

            481ac17972951b16c1c30796f267a222dda7d249b2cd79b2772f907e8cd70337ec303220c409e9bbcfd81f62c6b922b2fc58da82f56c24cb502390fcd89570cf

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0530508.exe

            Filesize

            624KB

            MD5

            d1c642e8c91465cf78e114789f9fe25d

            SHA1

            198582cb0bd5fc585a781a428e1fa665e761c3ae

            SHA256

            99f3c8fc61ba785185be0decf1c430879f93e52df8ce055e1daac5cd0d50bee8

            SHA512

            9430b92d06585137997b2b14e1af842a5266f145d0fe32e5ec991fd3d3de1d7dd1731146c85942558147e41317c215e4fa1a415c91085ee5d8738f42350ef493

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0530508.exe

            Filesize

            624KB

            MD5

            d1c642e8c91465cf78e114789f9fe25d

            SHA1

            198582cb0bd5fc585a781a428e1fa665e761c3ae

            SHA256

            99f3c8fc61ba785185be0decf1c430879f93e52df8ce055e1daac5cd0d50bee8

            SHA512

            9430b92d06585137997b2b14e1af842a5266f145d0fe32e5ec991fd3d3de1d7dd1731146c85942558147e41317c215e4fa1a415c91085ee5d8738f42350ef493

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4245253.exe

            Filesize

            350KB

            MD5

            67b2131ccd5af01341ce16158e95a61b

            SHA1

            546bc4878898e5d12e9a70e3999725d6d9c01d81

            SHA256

            599f8304035bcba4b15c0769834ecedf6c84c81ecf9349813e61587175597f01

            SHA512

            ba5610789eb1eff44a074e5710d449b345b05c026709c2f270d38b2d0cbcc14675128f4a5360bd3f9af4ee43663ca2eb89c9fd2281f992b479b03cd9b1f6de8e

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4245253.exe

            Filesize

            350KB

            MD5

            67b2131ccd5af01341ce16158e95a61b

            SHA1

            546bc4878898e5d12e9a70e3999725d6d9c01d81

            SHA256

            599f8304035bcba4b15c0769834ecedf6c84c81ecf9349813e61587175597f01

            SHA512

            ba5610789eb1eff44a074e5710d449b345b05c026709c2f270d38b2d0cbcc14675128f4a5360bd3f9af4ee43663ca2eb89c9fd2281f992b479b03cd9b1f6de8e

          • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v0901379.exe

            Filesize

            1.2MB

            MD5

            fee121abddd1c71bbe004d6058b5e60f

            SHA1

            e0ba7d311f46a5af489b90e016c5f2732a17fb91

            SHA256

            31696040d8567dc7b943be6858b39bebe40c352d31f55f0dca91f94c5d75d112

            SHA512

            a6ad791e68e4128cb8c42e533d4c703d3f9731b35b232af39b1708c526abf07147c21b9e109179b339bab9d340237dfbdfd658345d0d4849076b7179754f9788

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v0901379.exe

            Filesize

            1.2MB

            MD5

            fee121abddd1c71bbe004d6058b5e60f

            SHA1

            e0ba7d311f46a5af489b90e016c5f2732a17fb91

            SHA256

            31696040d8567dc7b943be6858b39bebe40c352d31f55f0dca91f94c5d75d112

            SHA512

            a6ad791e68e4128cb8c42e533d4c703d3f9731b35b232af39b1708c526abf07147c21b9e109179b339bab9d340237dfbdfd658345d0d4849076b7179754f9788

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\v9663959.exe

            Filesize

            946KB

            MD5

            a350293abef11cd92872d9b3f10b486f

            SHA1

            abe1041b69423f1a7eadfe123adca79382df68ec

            SHA256

            3bde1926ac89afd936886df23b76b9ba83a7f4af2880b406d93a68b465d628cc

            SHA512

            8dc313c7ae51cc9ebc4dcaa6889e193c114b3f1c2f054ea849f841dbd1e732c1aaf58eac86f0478d3724685cf8be7623c2fb2ebec8c471bdc2951cb4d2942f31

          • \Users\Admin\AppData\Local\Temp\IXP001.TMP\v9663959.exe

            Filesize

            946KB

            MD5

            a350293abef11cd92872d9b3f10b486f

            SHA1

            abe1041b69423f1a7eadfe123adca79382df68ec

            SHA256

            3bde1926ac89afd936886df23b76b9ba83a7f4af2880b406d93a68b465d628cc

            SHA512

            8dc313c7ae51cc9ebc4dcaa6889e193c114b3f1c2f054ea849f841dbd1e732c1aaf58eac86f0478d3724685cf8be7623c2fb2ebec8c471bdc2951cb4d2942f31

          • \Users\Admin\AppData\Local\Temp\IXP002.TMP\v3916634.exe

            Filesize

            790KB

            MD5

            75079a47b5cbd44e102e29e2b444d9fd

            SHA1

            c4e285ff90d828aca3a19b9b2bd22583a34e0ed6

            SHA256

            a299d20c98991a692d1f176cccd235c28e5d0a5a180b6ea47c0a13fac9f5de2f

            SHA512

            481ac17972951b16c1c30796f267a222dda7d249b2cd79b2772f907e8cd70337ec303220c409e9bbcfd81f62c6b922b2fc58da82f56c24cb502390fcd89570cf

          • \Users\Admin\AppData\Local\Temp\IXP002.TMP\v3916634.exe

            Filesize

            790KB

            MD5

            75079a47b5cbd44e102e29e2b444d9fd

            SHA1

            c4e285ff90d828aca3a19b9b2bd22583a34e0ed6

            SHA256

            a299d20c98991a692d1f176cccd235c28e5d0a5a180b6ea47c0a13fac9f5de2f

            SHA512

            481ac17972951b16c1c30796f267a222dda7d249b2cd79b2772f907e8cd70337ec303220c409e9bbcfd81f62c6b922b2fc58da82f56c24cb502390fcd89570cf

          • \Users\Admin\AppData\Local\Temp\IXP003.TMP\v0530508.exe

            Filesize

            624KB

            MD5

            d1c642e8c91465cf78e114789f9fe25d

            SHA1

            198582cb0bd5fc585a781a428e1fa665e761c3ae

            SHA256

            99f3c8fc61ba785185be0decf1c430879f93e52df8ce055e1daac5cd0d50bee8

            SHA512

            9430b92d06585137997b2b14e1af842a5266f145d0fe32e5ec991fd3d3de1d7dd1731146c85942558147e41317c215e4fa1a415c91085ee5d8738f42350ef493

          • \Users\Admin\AppData\Local\Temp\IXP003.TMP\v0530508.exe

            Filesize

            624KB

            MD5

            d1c642e8c91465cf78e114789f9fe25d

            SHA1

            198582cb0bd5fc585a781a428e1fa665e761c3ae

            SHA256

            99f3c8fc61ba785185be0decf1c430879f93e52df8ce055e1daac5cd0d50bee8

            SHA512

            9430b92d06585137997b2b14e1af842a5266f145d0fe32e5ec991fd3d3de1d7dd1731146c85942558147e41317c215e4fa1a415c91085ee5d8738f42350ef493

          • \Users\Admin\AppData\Local\Temp\IXP004.TMP\v4245253.exe

            Filesize

            350KB

            MD5

            67b2131ccd5af01341ce16158e95a61b

            SHA1

            546bc4878898e5d12e9a70e3999725d6d9c01d81

            SHA256

            599f8304035bcba4b15c0769834ecedf6c84c81ecf9349813e61587175597f01

            SHA512

            ba5610789eb1eff44a074e5710d449b345b05c026709c2f270d38b2d0cbcc14675128f4a5360bd3f9af4ee43663ca2eb89c9fd2281f992b479b03cd9b1f6de8e

          • \Users\Admin\AppData\Local\Temp\IXP004.TMP\v4245253.exe

            Filesize

            350KB

            MD5

            67b2131ccd5af01341ce16158e95a61b

            SHA1

            546bc4878898e5d12e9a70e3999725d6d9c01d81

            SHA256

            599f8304035bcba4b15c0769834ecedf6c84c81ecf9349813e61587175597f01

            SHA512

            ba5610789eb1eff44a074e5710d449b345b05c026709c2f270d38b2d0cbcc14675128f4a5360bd3f9af4ee43663ca2eb89c9fd2281f992b479b03cd9b1f6de8e

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • \Users\Admin\AppData\Local\Temp\IXP005.TMP\a5359428.exe

            Filesize

            251KB

            MD5

            24f4d96cad5a9eaaf41d4a05ba033f2e

            SHA1

            fcfc0e00b8930f2ccb2a8e964a5de4b249896a97

            SHA256

            b9e185ac8c77de488d5fce508f4b9f6d6a3ba75380fe06edd74d943740617ade

            SHA512

            8350b4caee30b801a361b231690a295580517f0a630a48dcb2fd58667f81b413323d818cada4c6113363705e1c0eec8bb0dbf3242d8b73a057c194edb4ab7743

          • memory/2512-64-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

          • memory/2512-68-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

          • memory/2512-70-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

          • memory/2512-72-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

          • memory/2512-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

          • memory/2512-65-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

          • memory/2512-66-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

          • memory/2512-63-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB