Overview
overview
10Static
static
301aa1629bc...16.exe
windows10-2004-x64
1010c3a4b3e3...62.exe
windows10-2004-x64
1012d321d9a6...0f.exe
windows10-2004-x64
102a2e3be04e...f7.exe
windows10-2004-x64
102bca03b9ef...e5.exe
windows10-2004-x64
102d2e176ff1...1c.exe
windows10-2004-x64
102d948afc82...ca.exe
windows10-2004-x64
102ec8f43232...da.exe
windows10-2004-x64
103a0ceb2aa8...f5.exe
windows10-2004-x64
103d5d854d7b...21.exe
windows10-2004-x64
1068ab5c7a84...5d.exe
windows10-2004-x64
107732b3137a...d8.exe
windows10-2004-x64
107c81a593c9...95.exe
windows7-x64
37c81a593c9...95.exe
windows10-2004-x64
108a74314c35...5a.exe
windows10-2004-x64
79b03895e9b...54.exe
windows7-x64
39b03895e9b...54.exe
windows10-2004-x64
10a777a11027...76.exe
windows10-2004-x64
10c0dad59a3b...fd.exe
windows10-2004-x64
10de0b656af4...69.exe
windows10-2004-x64
10e0c981a9f2...55.exe
windows10-2004-x64
10e5410c580a...b5.exe
windows7-x64
1e5410c580a...b5.exe
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 11:56
Static task
static1
Behavioral task
behavioral1
Sample
01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2d948afc82e00dd1f60cb24271d2c482bc87f04e3f42bcd4147a3e017a974dca.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
2ec8f4323279cbb3c829846c70e2e3b3f65d9d4591c18c17eb21dd76a257e0da.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
3d5d854d7b4667609b1a4eb70e50a6f99578a6ede0809793fc835cf2aebd7221.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
68ab5c7a84977eb7379341d29d2b10434cfd4ae30fb2276c4973f5fa55a7e85d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7732b3137a721cb543261e9c4ecb5c90b51aa6d810c2df0104df6b11e319dbd8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
9b03895e9b8629528bbb718f6ceab16387b6aba3cfa7fd7750d1372e383a7554.exe
Resource
win7-20240220-en
Behavioral task
behavioral17
Sample
9b03895e9b8629528bbb718f6ceab16387b6aba3cfa7fd7750d1372e383a7554.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
a777a11027afe934646141f176344a5c05c946b740bea45e9684b9a8b98f6676.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
e0c981a9f27b4ad406731c3e41ec4ff1248e97b375aacc1a4489a8065a22ed55.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5.exe
Resource
win10v2004-20240426-en
General
-
Target
2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe
-
Size
325KB
-
MD5
a11dbc01603450452854f17aa7ea1eef
-
SHA1
18436f7c4a7a4477c0baa93ddc108babce9491bf
-
SHA256
2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c
-
SHA512
1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf
-
SSDEEP
6144:K+y+bnr+/p0yN90QEJR9FTYYX8K75Nq/srdzir8IkNO3O0sUBWd:mMrry90bzFFX8KVpirQMFBWd
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral6/memory/3008-15-0x0000000000560000-0x000000000059E000-memory.dmp healer behavioral6/files/0x0007000000023417-20.dat healer behavioral6/memory/3940-22-0x0000000000E70000-0x0000000000E7A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2651355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2651355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b7896309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b7896309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b7896309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b7896309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2651355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2651355.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b7896309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b7896309.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a2651355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2651355.exe -
Executes dropped EXE 2 IoCs
pid Process 3008 a2651355.exe 3940 b7896309.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a2651355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a2651355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b7896309.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3008 a2651355.exe 3008 a2651355.exe 3940 b7896309.exe 3940 b7896309.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3008 a2651355.exe Token: SeDebugPrivilege 3940 b7896309.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1932 wrote to memory of 3008 1932 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe 82 PID 1932 wrote to memory of 3008 1932 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe 82 PID 1932 wrote to memory of 3008 1932 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe 82 PID 1932 wrote to memory of 3940 1932 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe 88 PID 1932 wrote to memory of 3940 1932 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe"C:\Users\Admin\AppData\Local\Temp\2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2651355.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2651355.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7896309.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7896309.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5175e3db636d9fd541cc11991815ea662
SHA1c5e30c78f298c1aa26768bc036795e19ed7e60d7
SHA256c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e
SHA51206b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9
-
Filesize
11KB
MD506d9b8f9236b959006976da775fea5e7
SHA146d5c5e6a3e7de6138cd764509a6754ce24d9484
SHA25677353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5
SHA512ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d