Overview

overview

10

Static

static

3

ce96f10727...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce96f10727de48594a78825da39b34f0N.exe

  • Size

    410KB

  • MD5

    ce96f10727de48594a78825da39b34f0

  • SHA1

    e6b96b479ef41c4938dc27be6b6702dd02556efb

  • SHA256

    f4cc85dca2d86c385d7fd844c48877bf0cfa110e20157648e9c0605ddfbfe838

  • SHA512

    8facc3269ea8261c79aa9eb8962dedc513047fe5e3f0ab8bda777d975d4ec304f8041b6115efe96bc32f7219e50725d5f72be36415eaf609f9c3ab771a2dda0f

  • SSDEEP

    6144:F7p0yN90QEHe3WMGsXtK59epswqXQuIXI9OtSQ6lANCGsKLvQ9lyYpX:Iy90gGjsX+9UqXQuMRCGsKjSwM

Score
10/10
healerdropperevasionpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce96f10727de48594a78825da39b34f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ce96f10727de48594a78825da39b34f0N.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\142051963.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\142051963.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\289128006.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\289128006.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1080
        3⤵
        • Program crash
        PID:2376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1592 -ip 1592
    1⤵
      PID:688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\142051963.exe
      Filesize

      175KB

      MD5

      3d10b67208452d7a91d7bd7066067676

      SHA1

      e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

      SHA256

      5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

      SHA512

      b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\289128006.exe
      Filesize

      263KB

      MD5

      5ce8fbb6cb52174de3d25da5f24831aa

      SHA1

      d1590828aa15f5da7e02a28cd0167379334c6cc8

      SHA256

      54ba4937222cf5017c2231deea6353c7a64de020996fce6cef2fd6b2e8423cf5

      SHA512

      c78d1dfba17b2a9f653ae5c8a336cafa0e70cd6516cc613bbef2ce28042dc20e429f09e14a8ae58411bae314badbe59b315074f5cfc7f2b8024e62e413eee180

      Download Submit

    • memory/1592-77-0x0000000000400000-0x0000000002B99000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4100-30-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-26-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-11-0x0000000004980000-0x0000000004998000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4100-12-0x0000000074130000-0x00000000748E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4100-40-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-38-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-36-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-34-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-32-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-9-0x0000000074130000-0x00000000748E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4100-28-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-10-0x00000000049F0000-0x0000000004F94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4100-24-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-22-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-20-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-18-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-16-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-14-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-13-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4100-41-0x0000000074130000-0x00000000748E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4100-43-0x0000000074130000-0x00000000748E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4100-8-0x00000000023D0000-0x00000000023EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4100-7-0x000000007413E000-0x000000007413F000-memory.dmp

      Filesize

      4KB

      Download