Analysis
-
max time kernel
138s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:26
Static task
static1
General
-
Target
a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe
-
Size
407KB
-
MD5
43fff5b40ab6f015344ddacd979e3fe9
-
SHA1
f536d7129771ebd126a56587019ba9315b316ad3
-
SHA256
a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c
-
SHA512
29c333b00a5092557f36cb22c68015f07a0399249819bbc3ec57b146225ddf42ab2786c3428bfbaf1b45dee7f8009c5a456ce782ed5d36017bc43721abad02b3
-
SSDEEP
6144:CZp0yN90QEQdlqnRgZqLt4s10ClW6VPO37uKnPkaaAYOCYAp:Vy902XyKZqLtd10CA6Vm379dzCD
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3512-8-0x00000000049F0000-0x0000000004A0A000-memory.dmp healer behavioral1/memory/3512-11-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/3512-41-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-39-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-37-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-35-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-33-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-29-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-27-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-25-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-23-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-21-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-19-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-17-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-15-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer behavioral1/memory/3512-14-0x0000000004AC0000-0x0000000004AD3000-memory.dmp healer -
Healer family
-
Processes:
111883107.exe270967542.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 270967542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 270967542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 270967542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 270967542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 270967542.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 111883107.exe -
Executes dropped EXE 2 IoCs
Processes:
111883107.exe270967542.exepid process 3512 111883107.exe 3996 270967542.exe -
Processes:
111883107.exe270967542.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 111883107.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 270967542.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2928 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1828 3996 WerFault.exe 270967542.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe111883107.exe270967542.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 111883107.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 270967542.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
111883107.exe270967542.exepid process 3512 111883107.exe 3512 111883107.exe 3996 270967542.exe 3996 270967542.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
111883107.exe270967542.exedescription pid process Token: SeDebugPrivilege 3512 111883107.exe Token: SeDebugPrivilege 3996 270967542.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exedescription pid process target process PID 2676 wrote to memory of 3512 2676 a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe 111883107.exe PID 2676 wrote to memory of 3512 2676 a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe 111883107.exe PID 2676 wrote to memory of 3512 2676 a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe 111883107.exe PID 2676 wrote to memory of 3996 2676 a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe 270967542.exe PID 2676 wrote to memory of 3996 2676 a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe 270967542.exe PID 2676 wrote to memory of 3996 2676 a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe 270967542.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe"C:\Users\Admin\AppData\Local\Temp\a7ebada9a5ecc2c54db4d93d0ab8d4f65e835ac82e8920b198d49aa037b97d2c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\111883107.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\111883107.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\270967542.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\270967542.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 10843⤵
- Program crash
PID:1828
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3996 -ip 39961⤵PID:1756
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
265KB
MD52c429d972d18f7c2258b90138bdd37d4
SHA14cfdfc5e5872486e2e6268e650c72dfec37f6614
SHA25608d91153df3e0853d777337eb3bf8e378e14234f92a72f5abe8bfe67b75ce9af
SHA5127a109a0b15600f92dea239c48ea39cb4d14482f192b48a1a95a48b3b9e44838501274d67266cd3fc71dc0da525fb942ad775f87a5e6af179003f1b86d4d78780