Malware Analysis Report

2024-10-16 03:50

Sample ID 240430-wxw88acg6w
Target 04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c
SHA256 04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c

Threat Level: Known bad

The file 04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 18:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 18:18

Reported

2024-04-30 18:21

Platform

win10v2004-20240419-en

Max time kernel

62s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c.exe

"C:\Users\Admin\AppData\Local\Temp\04ccc94ffe962e255e62c1a95914c62569b16af49feea119bd9d7a36e0feb37c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3928 -ip 3928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1080

Network

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\161491743.exe

MD5 ea5962c6896c58b0c43e396f1c7a2960
SHA1 c499a98d0db2cd886559364727a4f8aa0355d7bb
SHA256 72ba5705fc6129976f5b7940e302b1fe45d28d40290f96cc4876958ad369f4ca
SHA512 8c635383330d9ca3ff4195164fed13fcbfde5e0f5392e34378d0118658d4042d4f43731f21825242f51b73a36aeda031845b2ebbae78868912c45438685f8558

memory/4232-7-0x0000000002290000-0x00000000022AA000-memory.dmp

memory/4232-8-0x00000000740E0000-0x0000000074890000-memory.dmp

memory/4232-9-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/4232-10-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/4232-11-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/4232-12-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/4232-38-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-40-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-37-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-34-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-32-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-30-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-28-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-26-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-24-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-22-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-20-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-18-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-16-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-14-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-13-0x0000000004990000-0x00000000049A3000-memory.dmp

memory/4232-42-0x00000000740E0000-0x0000000074890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\283533626.exe

MD5 1e9dc1b0c2d04b90843dc698ab159f91
SHA1 da9a5344cf089916e15dbad341b9d450af9ad0be
SHA256 f3bf0d39dd835a1d31d94200d74922979ccb5ae6c97a50a73133de98655c4e15
SHA512 0b15f25cbdae011ef81ad10af1a2c4157f2a643b1f4b8b7ab36d599ccce8abafc8276655616700316bb83d7cfd21dcb6671d702454f074249882aa2c4430de54

memory/3928-48-0x00000000005E0000-0x000000000060D000-memory.dmp

memory/3928-53-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/3928-51-0x0000000074010000-0x00000000747C0000-memory.dmp

memory/3928-50-0x0000000002360000-0x000000000237A000-memory.dmp

memory/3928-49-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3928-47-0x0000000000760000-0x0000000000860000-memory.dmp

memory/3928-52-0x00000000024B0000-0x00000000024C8000-memory.dmp

memory/3928-81-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-79-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-77-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-75-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-73-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-71-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-69-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-67-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-65-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-63-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-61-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-59-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-57-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-55-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-54-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/3928-84-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3928-85-0x0000000074010000-0x00000000747C0000-memory.dmp