Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 16:50
Static task
static1
General
-
Target
6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe
-
Size
406KB
-
MD5
233453863ee04878a4f5d086f336788a
-
SHA1
7c09d05df566b660194447efafc7028d41839a45
-
SHA256
6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622
-
SHA512
4ce26c2f3fd7964b77f5ce05580cf64d1ce9e81e93ab01c79aa4c8b037854f5b7f5e844c9ce207efe50f6199c0aa4c2a2c320b7995bdec6fc7727fd6004a0173
-
SSDEEP
6144:0Rp0yN90QEhlqnRgZqLt8s1WcsOZA+PDBn5CtgI5Y+NrFh/KzFgM/HEcL:ny90FyKZqLtJ14gAIPbI5Y+NrDGqMfnL
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4332-8-0x0000000002290000-0x00000000022AA000-memory.dmp healer behavioral1/memory/4332-11-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/4332-18-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-40-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-38-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-36-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-34-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-32-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-30-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-28-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-26-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-24-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-22-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-20-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-16-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-14-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/4332-13-0x0000000004980000-0x0000000004993000-memory.dmp healer -
Healer family
-
Processes:
153890220.exe299562050.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 299562050.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 299562050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 299562050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 299562050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 299562050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 153890220.exe -
Executes dropped EXE 2 IoCs
Processes:
153890220.exe299562050.exepid Process 4332 153890220.exe 3980 299562050.exe -
Processes:
153890220.exe299562050.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 153890220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 299562050.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1504 3980 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe153890220.exe299562050.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 153890220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 299562050.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
153890220.exe299562050.exepid Process 4332 153890220.exe 4332 153890220.exe 3980 299562050.exe 3980 299562050.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
153890220.exe299562050.exedescription pid Process Token: SeDebugPrivilege 4332 153890220.exe Token: SeDebugPrivilege 3980 299562050.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exedescription pid Process procid_target PID 4380 wrote to memory of 4332 4380 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe 83 PID 4380 wrote to memory of 4332 4380 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe 83 PID 4380 wrote to memory of 4332 4380 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe 83 PID 4380 wrote to memory of 3980 4380 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe 93 PID 4380 wrote to memory of 3980 4380 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe 93 PID 4380 wrote to memory of 3980 4380 6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe"C:\Users\Admin\AppData\Local\Temp\6243a8b6f209a94b25336405ffa4868b52cb0baf8d0724e2a02cd6e577410622.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\153890220.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\153890220.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\299562050.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\299562050.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 10843⤵
- Program crash
PID:1504
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3980 -ip 39801⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
258KB
MD5bc4185435689ce5965498a8800b93900
SHA1c3c7f555cd079247f629daa16c279426b222adc4
SHA256489a927b79775f87508f9cbb3c3af0f683366a28111b2dc1c8a183ae87d289e8
SHA51248c033b248401fd466a9d56e7274ca084c656fbe2fbe4cf5ea1f3ea08dadec9349138f6a3c9500e8f50d2600a93e4cc7dc6f4a940cee199704adfe39b14c3507