Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ba323927e4...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba323927e4a820447a6c891a5d4042db56e6d2930ff38ab47f51e67485f3d6de.exe

  • Size

    1.0MB

  • MD5

    f2864fc71cf00e439d98f0dd1129c087

  • SHA1

    4125c47048692a57e3006b80b50cfcd342d5a4a0

  • SHA256

    ba323927e4a820447a6c891a5d4042db56e6d2930ff38ab47f51e67485f3d6de

  • SHA512

    0477f97570ec94a119563643ceb618289807df5b9500549ab515bbcb5e1cfa0846df090ca3950321cb8b585668794100c99adfc5efb655a06143675860b63fcb

  • SSDEEP

    24576:Vyx/YERNx4EOgHtoHgJ3tRdKV5VFfQdXVP:wPPxLOgNqm+VF4dX

Score
10/10
healerdiscoverydropperevasionpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba323927e4a820447a6c891a5d4042db56e6d2930ff38ab47f51e67485f3d6de.exe
    "C:\Users\Admin\AppData\Local\Temp\ba323927e4a820447a6c891a5d4042db56e6d2930ff38ab47f51e67485f3d6de.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128693.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128693.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un184103.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un184103.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr967157.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr967157.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3484
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1108
            5⤵
            • Program crash
            PID:1468
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu340194.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu340194.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3484 -ip 3484
    1⤵
      PID:1904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128693.exe
      Filesize

      749KB

      MD5

      facedafe5625c379bc1dd90175c27834

      SHA1

      00c6037bebb2c717c70a83604608d4bee039c5fa

      SHA256

      27c0c04e0d20efeb14bb226c8d57d50e1372b01fcf5a6466bfce8b58b12292b6

      SHA512

      386fc4cbc51b4dd0079d507a0338c65886a2030211c70595fa1dbd3e3ac0ceb6d24a3a926e6c906c4f5b7ffeacb7e4896087d43c6d6fb5a974d125728a246c34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un184103.exe
      Filesize

      595KB

      MD5

      d51e820f2e320a9215838c16876284f1

      SHA1

      26e8e6d51dc3b4a75956cd0d02b9280416a45ad5

      SHA256

      9bdb814f45703502243a35d0725771237b53cf319899ad09d072234d3688da8b

      SHA512

      f4a7e397e3a49018474f328ce42ede2e797dd63f087f3b9fa0e7f40532e51492b1b5499727bd21a45e6b83391df1b2e5722201ba142a0eb6f37ff960f0e56631

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr967157.exe
      Filesize

      389KB

      MD5

      64eb107da6f4433febb15c4248c0be5c

      SHA1

      aad9d8f2296e92171b9a3c62ebaa2d1c83c9ba94

      SHA256

      aa1d81387c1e733c582e256f72cbb91612483319ee26685aa12cfab9926ca1f7

      SHA512

      1be657fb2f4e8109ecf84b89af19cacafb8ec956b489af31eb12235a1c9897828bed22a5fc508d8c8c8bbcae4d82cd23f1c2d631663f71c72a59b55aaad07a96

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu340194.exe
      Filesize

      472KB

      MD5

      63e8da8693e98343da3d6a4f3f350c3d

      SHA1

      ac4f17be24b4c8a36d069eaa0f2687098c99d7dd

      SHA256

      20eb073dafdb859134963128d3c9837c63dec04cf28608c2cf196f8e946c987c

      SHA512

      1092d8ea6d85ab0088da8a0d3a268edd39ee2bbb4657b6183c3df320b5ee14c6faacf4c38189596b36da65b04cf0cb15ba17948f7c7230b54747e9a65e54b55b

      Download Submit

    • memory/3484-43-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-35-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-25-0x0000000002A80000-0x0000000002A98000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3484-53-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-51-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-49-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-47-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-45-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-23-0x0000000002660000-0x000000000267A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3484-39-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-41-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-24-0x0000000004DF0000-0x0000000005394000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3484-37-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-33-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-31-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-29-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-27-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-26-0x0000000002A80000-0x0000000002A92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-54-0x0000000000400000-0x0000000000806000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3484-55-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3484-57-0x0000000000400000-0x0000000000806000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3484-22-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3920-60-0x0000000000400000-0x000000000081A000-memory.dmp

      Filesize

      4.1MB

      Download