Overview

overview

10

Static

static

3

f3718d1af6...3N.exe

windows7-x64

10

f3718d1af6...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793N.exe

  • Size

    277KB

  • MD5

    8ae5733e859af3fc70bd24f291241cc0

  • SHA1

    58d339fd37f6875ad18c3830c08ced6afd4b3691

  • SHA256

    f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793

  • SHA512

    3becbd1bda5d969e3025e4a3588b678920bacb9c08731cb68d7b115f2f6e5d2a2773812f5bfe62944ff42aa577b58c269b7960a20c2c69d87d022a6ab8d67089

  • SSDEEP

    3072:EA+sgUHniUYJ+vYaFpYpE86BSkuIo2RX+SnsK+MEANDlN6qOncZuH5/vJwYPDpJc:rBM+vJ8NHIpz5pDQOupv2YPDWJ

Score
10/10
healerdiscoverydropperevasiontrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793N.exe
    "C:\Users\Admin\AppData\Local\Temp\f3718d1af681cb3c8684e4c9297ebcd7c75aa54638535ebdd2f7e79e118ca793N.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 948
      2⤵
      • Program crash
      PID:3504
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4928 -ip 4928
    1⤵
      PID:4072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4928-1-0x0000000002D70000-0x0000000002E70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4928-2-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4928-3-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4928-4-0x0000000004950000-0x000000000496A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4928-5-0x0000000007140000-0x00000000076E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4928-6-0x00000000076F0000-0x0000000007708000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4928-7-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-16-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-8-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-34-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-32-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-30-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-28-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-26-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-24-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-22-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-20-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-18-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-14-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-12-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-10-0x00000000076F0000-0x0000000007702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4928-35-0x0000000000400000-0x0000000002B9F000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4928-36-0x0000000002D70000-0x0000000002E70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4928-37-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4928-39-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4928-42-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4928-41-0x0000000000400000-0x0000000002B9F000-memory.dmp

      Filesize

      39.6MB

      Download