Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f3718d1af6...3N.exe

windows7-x64

10

f3718d1af6...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 10:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793N.exe

  • Size

    277KB

  • MD5

    8ae5733e859af3fc70bd24f291241cc0

  • SHA1

    58d339fd37f6875ad18c3830c08ced6afd4b3691

  • SHA256

    f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793

  • SHA512

    3becbd1bda5d969e3025e4a3588b678920bacb9c08731cb68d7b115f2f6e5d2a2773812f5bfe62944ff42aa577b58c269b7960a20c2c69d87d022a6ab8d67089

  • SSDEEP

    3072:EA+sgUHniUYJ+vYaFpYpE86BSkuIo2RX+SnsK+MEANDlN6qOncZuH5/vJwYPDpJc:rBM+vJ8NHIpz5pDQOupv2YPDWJ

Score
10/10
healerdiscoverydropperevasiontrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793N.exe
    "C:\Users\Admin\AppData\Local\Temp\f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793N.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 948
      2⤵
      • Program crash
      PID:3504
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4928 -ip 4928
    1⤵
      PID:4072

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      75.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      75.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4928-1-0x0000000002D70000-0x0000000002E70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4928-2-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4928-3-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4928-4-0x0000000004950000-0x000000000496A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4928-5-0x0000000007140000-0x00000000076E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4928-6-0x00000000076F0000-0x0000000007708000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4928-7-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-16-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-8-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-34-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-32-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-30-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-28-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-26-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-24-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-22-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-20-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-18-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-14-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-12-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-10-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-35-0x0000000000400000-0x0000000002B9F000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4928-36-0x0000000002D70000-0x0000000002E70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4928-37-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4928-39-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4928-42-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4928-41-0x0000000000400000-0x0000000002B9F000-memory.dmp

      Filesize

      39.6MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.