Analysis

  • max time kernel
    121s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2023 02:07

General

  • Target

    NEAS.9301cb162262c21467e409e34c083b10.exe

  • Size

    890KB

  • MD5

    9301cb162262c21467e409e34c083b10

  • SHA1

    abcf1b431853b7115ae6091b591d5de7a93677ec

  • SHA256

    2e1d54b8f901ca82b03038d7e5dd540ac9291ee4e641f4de787e628b930134c1

  • SHA512

    8e891e9a6ad6b6375e46beb88ee82fbb681d5ef1299d52c2e0e88f22e53dfe25a4381560a51af169a327b80e56a7c7c7c6fb87efb31bb871ec6781d1f08318c3

  • SSDEEP

    12288:bMrTy90OZT83eCKnvhpcxMrAevRsXeWIoJOLS6R8QxixFIFW76pSin5G/4ej:MyNZNCupcxMrAanWO+6KQA6n5Ah

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2516
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:1744
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2660
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 288
              4⤵
              • Loads dropped DLL
              • Program crash
              PID:2524

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

        Filesize

        499KB

        MD5

        3abbfa448b60de10f3fbda079fc1ede1

        SHA1

        9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46

        SHA256

        ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc

        SHA512

        604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

        Filesize

        499KB

        MD5

        3abbfa448b60de10f3fbda079fc1ede1

        SHA1

        9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46

        SHA256

        ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc

        SHA512

        604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

        Filesize

        499KB

        MD5

        3abbfa448b60de10f3fbda079fc1ede1

        SHA1

        9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46

        SHA256

        ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc

        SHA512

        604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

        Filesize

        499KB

        MD5

        3abbfa448b60de10f3fbda079fc1ede1

        SHA1

        9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46

        SHA256

        ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc

        SHA512

        604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • \Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

        Filesize

        860KB

        MD5

        9fe4f348592f5abfac13127b76ee54af

        SHA1

        fb3a82f325d56a3e91613d90a253ea11f52c3033

        SHA256

        b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

        SHA512

        8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

      • memory/2660-23-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2660-28-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2660-30-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2660-32-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2660-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

      • memory/2660-25-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2660-26-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/2660-24-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB