Analysis

  • max time kernel
    141s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2024 02:28

General

  • Target

    b74a498bb5f6e584e843e22186c25628e7a99618aedad1f4591eeb281e65928d.exe

  • Size

    259KB

  • MD5

    a19dcb9346ac053faf0fce3c04243ccc

  • SHA1

    64d68190051a952a8ff34eef787ffdb3b281a88f

  • SHA256

    b74a498bb5f6e584e843e22186c25628e7a99618aedad1f4591eeb281e65928d

  • SHA512

    e666ed56ba0bc9bcb6dd82ce89404dc7d4dd9629ad3fae2bb75ccdc8a59666305318a2c02e99bfedaff7091204d23fa2b7254efe1a72cf4c6f4bd7cec4affdc8

  • SSDEEP

    3072:EQyJn+7EuQKTqpv9f9jgn6G1hL4AS2OkOhlUEArocsFFs2uxoplbdPaKDv9y3L5o:V4n+7CKo9f9sTH4kOk6ArockNQKJbW

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 18 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 18 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b74a498bb5f6e584e843e22186c25628e7a99618aedad1f4591eeb281e65928d.exe
    "C:\Users\Admin\AppData\Local\Temp\b74a498bb5f6e584e843e22186c25628e7a99618aedad1f4591eeb281e65928d.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 948
      2⤵
      • Program crash
      PID:3608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568
    1⤵
      PID:1028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2568-1-0x0000000000690000-0x0000000000790000-memory.dmp

      Filesize

      1024KB

    • memory/2568-2-0x0000000001FA0000-0x0000000001FCD000-memory.dmp

      Filesize

      180KB

    • memory/2568-3-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/2568-4-0x0000000004AD0000-0x0000000004AEA000-memory.dmp

      Filesize

      104KB

    • memory/2568-5-0x0000000074780000-0x0000000074F30000-memory.dmp

      Filesize

      7.7MB

    • memory/2568-6-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

      Filesize

      64KB

    • memory/2568-7-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

      Filesize

      64KB

    • memory/2568-8-0x0000000004CC0000-0x0000000005264000-memory.dmp

      Filesize

      5.6MB

    • memory/2568-9-0x0000000004B30000-0x0000000004B48000-memory.dmp

      Filesize

      96KB

    • memory/2568-33-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-37-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-35-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-31-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-29-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-27-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-26-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-23-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-21-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-17-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-13-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-19-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-15-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-11-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-10-0x0000000004B30000-0x0000000004B43000-memory.dmp

      Filesize

      76KB

    • memory/2568-40-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/2568-41-0x0000000074780000-0x0000000074F30000-memory.dmp

      Filesize

      7.7MB