Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 10:59
Static task
static1
General
-
Target
e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe
-
Size
324KB
-
MD5
453b433f66a9cae7bd2f0df8c6120680
-
SHA1
3c1e0f8e2e1940ba4ffa04d18451ef8ac1400afe
-
SHA256
e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8
-
SHA512
0f61475d0d3a5743a10eac9de04668053f217f0104ed3f9600a3eedeee9f92e1e29dc44cf982b9038517c3f5998d49e584df3d7763d930a2188cc3915cb9046a
-
SSDEEP
6144:K+y+bnr+7p0yN90QEE1AN5QRJArYGdehQDuz+IQgiIaw:+Mr3y90y1NAKhQDVbgKw
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0009000000023c90-5.dat healer behavioral1/memory/704-8-0x0000000000010000-0x000000000001A000-memory.dmp healer behavioral1/memory/1048-18-0x0000000002330000-0x000000000234A000-memory.dmp healer behavioral1/memory/1048-20-0x0000000002510000-0x0000000002528000-memory.dmp healer behavioral1/memory/1048-21-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-28-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-48-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-46-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-44-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-42-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-40-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-38-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-36-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-34-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-33-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-30-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-26-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-24-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1048-22-0x0000000002510000-0x0000000002522000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b6202QA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b6202QA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b6202QA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c79eI25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c79eI25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c79eI25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c79eI25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c79eI25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b6202QA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b6202QA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b6202QA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c79eI25.exe -
Executes dropped EXE 2 IoCs
pid Process 704 b6202QA.exe 1048 c79eI25.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b6202QA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c79eI25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c79eI25.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3984 1048 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c79eI25.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 704 b6202QA.exe 704 b6202QA.exe 1048 c79eI25.exe 1048 c79eI25.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 704 b6202QA.exe Token: SeDebugPrivilege 1048 c79eI25.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3184 wrote to memory of 704 3184 e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe 83 PID 3184 wrote to memory of 704 3184 e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe 83 PID 3184 wrote to memory of 1048 3184 e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe 93 PID 3184 wrote to memory of 1048 3184 e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe 93 PID 3184 wrote to memory of 1048 3184 e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe"C:\Users\Admin\AppData\Local\Temp\e91da56042cb38a9ddf26ae132c623d6125bf34a50628f69521006caeb3b48d8N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b6202QA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b6202QA.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c79eI25.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c79eI25.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 11003⤵
- Program crash
PID:3984
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1048 -ip 10481⤵PID:2844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
226KB
MD587fdb2616cdd76d9350185b156701651
SHA17fdf84d01f1483a62b58ca49f7b6a611d4f3dcbd
SHA256c67ca9d7889ab72b29cf894975dc011f98a5f05c978f703d5f74c106c692d23f
SHA5123037c42e038fb974a976d2750a876b46aabd8236a3a2f4f8cddfa7ecd584608cec86e130bc3af974df56d75ff0bed1ea0ca1948fe3fdeda1016cbd33807afe71