Overview

overview

10

Static

static

3

eef1bcb2c5...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eef1bcb2c5a2aaec28eabee46329ae46363082c19c5beb1fe9c762e64957de00N.exe

  • Size

    650KB

  • MD5

    ad8ab0e2b5f002e317a119225c5196e0

  • SHA1

    7f1bcb1b41ef92187c10529c3ba85305e143fcc6

  • SHA256

    eef1bcb2c5a2aaec28eabee46329ae46363082c19c5beb1fe9c762e64957de00

  • SHA512

    7d8f6e2689c54e3ff962060705bffc11194f0571a2c389f6b1c16db7b47228e458462887a6a21a0e25cef2226a922fdfa569861180cb8bc41cf7c569ff14e17d

  • SSDEEP

    12288:9Mrjy90yz4BxwSDZAHgjLF8jmIV5RaApyS93LLbrk/mYcDHOzCCI7M:CygBFDZIgjLF8jDV5Rhpb93LLbrk/mYJ

Score
10/10
healerdiscoverydropperevasionpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eef1bcb2c5a2aaec28eabee46329ae46363082c19c5beb1fe9c762e64957de00N.exe
    "C:\Users\Admin\AppData\Local\Temp\eef1bcb2c5a2aaec28eabee46329ae46363082c19c5beb1fe9c762e64957de00N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1442.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1442.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz1684.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz1684.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6486tg.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6486tg.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1442.exe
    Filesize

    322KB

    MD5

    8c25483a0627f60bdf2a7a67360fb632

    SHA1

    cc68e18026f376c8437000ee47ac3a66e8a99253

    SHA256

    974c244d3c560f23f0dec023fc7b8d62223f41ca9a3da9741db9cff6f5de6b58

    SHA512

    3ecbaeb58d4e2790cb08fc69b2c340ba7ef07c076f945a3fac0614fe0d9552faa15b5c3f7103c1213c2b13ca5b79e5ad99e7ee369673813c115b40af5cd53cc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz1684.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6486tg.exe
    Filesize

    234KB

    MD5

    01afc6696402aa4600fee7301c30589e

    SHA1

    4e45b4faf8c5472ef87c996698046f1c6b461317

    SHA256

    3665f64788575c20bbd1a2eae3d9711d24c509585a850f45d715bab1c000dc29

    SHA512

    f15ddbd3bb0e532af9d0a0b44d8a5d6c8a27a81a492383e9c579fc118df5c274d2dff36a195b5f0cdbf371caf43311d916150b2a8bf17db0849f34a95b34318a

    Download Submit

  • memory/4204-50-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-47-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-55-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/4204-22-0x00000000022E0000-0x00000000022FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4204-23-0x0000000004BD0000-0x0000000005174000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4204-24-0x0000000004B80000-0x0000000004B98000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4204-25-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-32-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-52-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-53-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/4204-48-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-26-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-44-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-42-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-40-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-36-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-34-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-30-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4204-28-0x0000000004B80000-0x0000000004B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4484-16-0x00007FFE2DD83000-0x00007FFE2DD85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4484-14-0x00007FFE2DD83000-0x00007FFE2DD85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4484-15-0x0000000000B50000-0x0000000000B5A000-memory.dmp

    Filesize

    40KB

    Download