Malware Analysis Report

2024-12-07 11:12

Sample ID 241113-w7cbssxbpd
Target b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe
SHA256 b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1
Tags
healer discovery dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1

Threat Level: Known bad

The file b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe was found to be: Known bad.

Malicious Activity Summary

healer discovery dropper evasion persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 18:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 18:33

Reported

2024-11-13 18:35

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe

"C:\Users\Admin\AppData\Local\Temp\b6726eb2425619b8e63066f94362b5c47d1cc842b612834de8a08e693f2da8a1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1032

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\138970767.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/2688-7-0x000000007497E000-0x000000007497F000-memory.dmp

memory/2688-8-0x0000000002150000-0x000000000216A000-memory.dmp

memory/2688-9-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2688-11-0x0000000004AF0000-0x0000000005094000-memory.dmp

memory/2688-13-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2688-12-0x0000000002650000-0x0000000002668000-memory.dmp

memory/2688-10-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2688-41-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-39-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-37-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-35-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-33-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-31-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-29-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-27-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-25-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-23-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-21-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-19-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-17-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-15-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-14-0x0000000002650000-0x0000000002663000-memory.dmp

memory/2688-42-0x000000007497E000-0x000000007497F000-memory.dmp

memory/2688-43-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2688-45-0x0000000074970000-0x0000000075120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\239786344.exe

MD5 1e544ce92060f1da1b09809ecdf7d648
SHA1 12f0ea334581f0823cfabcdb37a38687992e3a63
SHA256 d5a584fc3cd321a1e760adbeb06effd40782410e9ceee414544ebbb557010c80
SHA512 8b000ba5f0dbff6c6e644ef36b53d90e325d057a92ccd891efd38e7425f59db2ced3a7b104ad349594eb13f3e51853a9e6b6cd01d111fa8c92f1ba3baef7a99e

memory/2368-79-0x0000000000400000-0x0000000002B99000-memory.dmp