Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe
Resource
win10v2004-20230915-en
General
-
Target
2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe
-
Size
1.3MB
-
MD5
b06f77d6b8b16816481d0991540f623c
-
SHA1
090fa8432f22955781fe9eddec1b3337c080a074
-
SHA256
2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c
-
SHA512
e2042f7473d6b5f0c60490135364e437abfcb17a53536b9cb40c4bcf97e7dc4c7d1fd6b624f3caf681ad22016e5bb0f1307151192c57f123d60cb02839483a14
-
SSDEEP
24576:TySwGbS6wmVr8EJ7cshwka69L+vzU4D04M3GhV0yzePfqyKYiESk/coWcN5Gay7n:mRGbS6w6rDJ7csh1L+vzh0rWeE0/FWcy
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/files/0x000800000002320d-33.dat healer behavioral2/files/0x000800000002320d-34.dat healer behavioral2/memory/1372-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q4653566.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q4653566.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q4653566.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q4653566.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q4653566.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q4653566.exe -
Executes dropped EXE 6 IoCs
pid Process 3484 z4551336.exe 4280 z0878074.exe 3124 z9818545.exe 1524 z3178158.exe 1372 q4653566.exe 4432 r8841159.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q4653566.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z9818545.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z3178158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4551336.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z0878074.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4432 set thread context of 1968 4432 r8841159.exe 98 -
Program crash 2 IoCs
pid pid_target Process procid_target 3552 1968 WerFault.exe 98 4568 4432 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1372 q4653566.exe 1372 q4653566.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1372 q4653566.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3212 wrote to memory of 3484 3212 2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe 89 PID 3212 wrote to memory of 3484 3212 2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe 89 PID 3212 wrote to memory of 3484 3212 2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe 89 PID 3484 wrote to memory of 4280 3484 z4551336.exe 90 PID 3484 wrote to memory of 4280 3484 z4551336.exe 90 PID 3484 wrote to memory of 4280 3484 z4551336.exe 90 PID 4280 wrote to memory of 3124 4280 z0878074.exe 91 PID 4280 wrote to memory of 3124 4280 z0878074.exe 91 PID 4280 wrote to memory of 3124 4280 z0878074.exe 91 PID 3124 wrote to memory of 1524 3124 z9818545.exe 92 PID 3124 wrote to memory of 1524 3124 z9818545.exe 92 PID 3124 wrote to memory of 1524 3124 z9818545.exe 92 PID 1524 wrote to memory of 1372 1524 z3178158.exe 93 PID 1524 wrote to memory of 1372 1524 z3178158.exe 93 PID 1524 wrote to memory of 4432 1524 z3178158.exe 96 PID 1524 wrote to memory of 4432 1524 z3178158.exe 96 PID 1524 wrote to memory of 4432 1524 z3178158.exe 96 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98 PID 4432 wrote to memory of 1968 4432 r8841159.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe"C:\Users\Admin\AppData\Local\Temp\2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4551336.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4551336.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0878074.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0878074.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9818545.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9818545.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3178158.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3178158.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4653566.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4653566.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8841159.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8841159.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 5408⤵
- Program crash
PID:3552
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 5567⤵
- Program crash
PID:4568
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4432 -ip 44321⤵PID:3788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1968 -ip 19681⤵PID:4860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5541a1bbac97ec4e491c96000841174ea
SHA1916df57ef703f05b7a68ff2ecad279232208da63
SHA256700f26699a10f3ed8c2b7b24ed8062349cc10f3ca40ab1c1de9c01f7b41ce385
SHA5127364900a640af84ba1142e2538891e1b1b5997a41bc08aa032c42b24b3e39405ab68e43a58d150b79b7b646cad4ece68b20208318ca4adc2cd9c7b233d14477c
-
Filesize
1.2MB
MD5541a1bbac97ec4e491c96000841174ea
SHA1916df57ef703f05b7a68ff2ecad279232208da63
SHA256700f26699a10f3ed8c2b7b24ed8062349cc10f3ca40ab1c1de9c01f7b41ce385
SHA5127364900a640af84ba1142e2538891e1b1b5997a41bc08aa032c42b24b3e39405ab68e43a58d150b79b7b646cad4ece68b20208318ca4adc2cd9c7b233d14477c
-
Filesize
1.0MB
MD5c332c06d99f30269f9874528dc57ee1f
SHA12513ae94f49d3a6e346db2d12317ce75b1fd55d7
SHA25693fe314e3f4bb292bbd8d383f38b23ff5e51501b06e0706c0234f47e83588001
SHA51281e81617440ea34147364d23e7b42cd6f70e0ab18648aba0344f2c7b2c853fbae1a91da1c44db08f0403462a9c24ffafb22dee070e662367fff5cb7d550bc644
-
Filesize
1.0MB
MD5c332c06d99f30269f9874528dc57ee1f
SHA12513ae94f49d3a6e346db2d12317ce75b1fd55d7
SHA25693fe314e3f4bb292bbd8d383f38b23ff5e51501b06e0706c0234f47e83588001
SHA51281e81617440ea34147364d23e7b42cd6f70e0ab18648aba0344f2c7b2c853fbae1a91da1c44db08f0403462a9c24ffafb22dee070e662367fff5cb7d550bc644
-
Filesize
867KB
MD53925d09b204ed85fd573247f3303aec7
SHA1ab863d572076367054d48f9c559a34e6f1f80c3a
SHA256a2284d9c754b86cb134ebdcf232ae756565f8a0aea20a194e64fc1ca2aa8c298
SHA51265e95965f32c3c304c98aa3d66dd892ec8899afa8cd686a64cb54676a36e0698ea3daf976a0b547a6dc01a37345dfe1ba7c830f2b55dc2f3b31ee980e0eb152d
-
Filesize
867KB
MD53925d09b204ed85fd573247f3303aec7
SHA1ab863d572076367054d48f9c559a34e6f1f80c3a
SHA256a2284d9c754b86cb134ebdcf232ae756565f8a0aea20a194e64fc1ca2aa8c298
SHA51265e95965f32c3c304c98aa3d66dd892ec8899afa8cd686a64cb54676a36e0698ea3daf976a0b547a6dc01a37345dfe1ba7c830f2b55dc2f3b31ee980e0eb152d
-
Filesize
475KB
MD5316860325c869f24299aca89847677e2
SHA15a7682e6744c6989bf5719db88737fef0771371a
SHA2566ad8edc32da150da196291673f393ca924f6c57bf13d279048a224997fee9fe0
SHA512634c492fd97ea092260b5d245c41384b6e085f4705dfc9324ecd864c94a415e4a973eea4b963b8c1de5e47d06bf691f9e7b40d3fbd6b5da067244d1457277abd
-
Filesize
475KB
MD5316860325c869f24299aca89847677e2
SHA15a7682e6744c6989bf5719db88737fef0771371a
SHA2566ad8edc32da150da196291673f393ca924f6c57bf13d279048a224997fee9fe0
SHA512634c492fd97ea092260b5d245c41384b6e085f4705dfc9324ecd864c94a415e4a973eea4b963b8c1de5e47d06bf691f9e7b40d3fbd6b5da067244d1457277abd
-
Filesize
11KB
MD54e2ef60c1ce12a20cf1eff8bd3f99eae
SHA1885bef7273c99596c612e7df9ea819344a0ff4a3
SHA2561046e0916c085985b3e329a7d6e0df27e9b2a317fdf64ab3d773ae1de63aaf76
SHA512daf29bb8658b2395eac9ebc1c6baadc9931b49668b59c65ad16baa913b0fbe6575bda6d0342b97c9b84c9a0daf7b698a9d7138fca92314d2d617b35a1f4a015e
-
Filesize
11KB
MD54e2ef60c1ce12a20cf1eff8bd3f99eae
SHA1885bef7273c99596c612e7df9ea819344a0ff4a3
SHA2561046e0916c085985b3e329a7d6e0df27e9b2a317fdf64ab3d773ae1de63aaf76
SHA512daf29bb8658b2395eac9ebc1c6baadc9931b49668b59c65ad16baa913b0fbe6575bda6d0342b97c9b84c9a0daf7b698a9d7138fca92314d2d617b35a1f4a015e
-
Filesize
1.0MB
MD5867ee5cb226a9cad45c6213ae7641d7f
SHA18f868609370252b9956f2198436002b8de5decd0
SHA2569fb58a45cacb846a7aa65dde1e739adfc3aa5909069ddf2d84b9096724c75aab
SHA512365ec1d78dcf864cb202490033370116b6c1b36d28d7ef3f6116dd3de63945a8d37434600621bd9d5fdaf20dc08e03287460ecd04ddceff244a6be49b70c4d18
-
Filesize
1.0MB
MD5867ee5cb226a9cad45c6213ae7641d7f
SHA18f868609370252b9956f2198436002b8de5decd0
SHA2569fb58a45cacb846a7aa65dde1e739adfc3aa5909069ddf2d84b9096724c75aab
SHA512365ec1d78dcf864cb202490033370116b6c1b36d28d7ef3f6116dd3de63945a8d37434600621bd9d5fdaf20dc08e03287460ecd04ddceff244a6be49b70c4d18