Analysis
-
max time kernel
121s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
26-10-2023 02:07
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.9301cb162262c21467e409e34c083b10.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.9301cb162262c21467e409e34c083b10.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.9301cb162262c21467e409e34c083b10.exe
-
Size
890KB
-
MD5
9301cb162262c21467e409e34c083b10
-
SHA1
abcf1b431853b7115ae6091b591d5de7a93677ec
-
SHA256
2e1d54b8f901ca82b03038d7e5dd540ac9291ee4e641f4de787e628b930134c1
-
SHA512
8e891e9a6ad6b6375e46beb88ee82fbb681d5ef1299d52c2e0e88f22e53dfe25a4381560a51af169a327b80e56a7c7c7c6fb87efb31bb871ec6781d1f08318c3
-
SSDEEP
12288:bMrTy90OZT83eCKnvhpcxMrAevRsXeWIoJOLS6R8QxixFIFW76pSin5G/4ej:MyNZNCupcxMrAanWO+6KQA6n5Ah
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2660-26-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2660-25-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2660-28-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2660-30-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2660-32-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
Executes dropped EXE 2 IoCs
Processes:
z5140034.exeq0075553.exepid process 1532 z5140034.exe 1280 q0075553.exe -
Loads dropped DLL 9 IoCs
Processes:
NEAS.9301cb162262c21467e409e34c083b10.exez5140034.exeq0075553.exeWerFault.exepid process 2740 NEAS.9301cb162262c21467e409e34c083b10.exe 1532 z5140034.exe 1532 z5140034.exe 1532 z5140034.exe 1280 q0075553.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NEAS.9301cb162262c21467e409e34c083b10.exez5140034.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.9301cb162262c21467e409e34c083b10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5140034.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
q0075553.exedescription pid process target process PID 1280 set thread context of 2660 1280 q0075553.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2524 1280 WerFault.exe q0075553.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2660 AppLaunch.exe 2660 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2660 AppLaunch.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
NEAS.9301cb162262c21467e409e34c083b10.exez5140034.exeq0075553.exedescription pid process target process PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 2740 wrote to memory of 1532 2740 NEAS.9301cb162262c21467e409e34c083b10.exe z5140034.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1532 wrote to memory of 1280 1532 z5140034.exe q0075553.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2516 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 1744 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2660 1280 q0075553.exe AppLaunch.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe PID 1280 wrote to memory of 2524 1280 q0075553.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2516
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1744
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 2884⤵
- Loads dropped DLL
- Program crash
PID:2524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
499KB
MD53abbfa448b60de10f3fbda079fc1ede1
SHA19be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751
-
Filesize
499KB
MD53abbfa448b60de10f3fbda079fc1ede1
SHA19be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
499KB
MD53abbfa448b60de10f3fbda079fc1ede1
SHA19be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751
-
Filesize
499KB
MD53abbfa448b60de10f3fbda079fc1ede1
SHA19be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59
-
Filesize
860KB
MD59fe4f348592f5abfac13127b76ee54af
SHA1fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA5128d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59