healer | c67129b336a4c8cea90b36eafcf4c2cd3084cefefc649e7c62e5890522e7a4ab

Analysis

max time kernel
1s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b51efcb9377d2df51a9bd31bfdb540a9.exe
Size

806KB
MD5

b51efcb9377d2df51a9bd31bfdb540a9
SHA1

326569498f9deda2d5c0c154b558e017b6a33e43
SHA256

c67129b336a4c8cea90b36eafcf4c2cd3084cefefc649e7c62e5890522e7a4ab
SHA512

e5f43a23f1966e3eef9935ba8c1bb037ad35c6f01e8ea2b7cf65a6c7795110303f8f791aaaf050c81ff0e6fedd688012dd5c1c6b56d310e4b1f787cb3278aca5
SSDEEP

12288:Tg4roz477H7ePyhORCJUjG/YSnGNtKBYeGE/4fBQLUJF/O2DiEG7:3K47XwFNhS4H/E/4fBS6GYi1

Score

10^/10

healer dropper persistence

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 6 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231d9-174.dat	healer
behavioral2/memory/852-176-0x00000000009B0000-0x00000000009BA000-memory.dmp	healer
behavioral2/files/0x00060000000231d9-174.dat	healer
behavioral2/memory/852-176-0x00000000009B0000-0x00000000009BA000-memory.dmp	healer
behavioral2/files/0x00060000000231d9-174.dat	healer
behavioral2/memory/852-176-0x00000000009B0000-0x00000000009BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Executes dropped EXE 3 IoCs

pid	Process
2760	v8493689.exe
2760	v8493689.exe
2760	v8493689.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b51efcb9377d2df51a9bd31bfdb540a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b51efcb9377d2df51a9bd31bfdb540a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b51efcb9377d2df51a9bd31bfdb540a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b51efcb9377d2df51a9bd31bfdb540a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b51efcb9377d2df51a9bd31bfdb540a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b51efcb9377d2df51a9bd31bfdb540a9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	34
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	34
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	34
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	129
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	129
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	129
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	224
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	224
PID 2296 wrote to memory of 2760	2296	b51efcb9377d2df51a9bd31bfdb540a9.exe	224

C:\Users\Admin\AppData\Local\Temp\b51efcb9377d2df51a9bd31bfdb540a9.exe
"C:\Users\Admin\AppData\Local\Temp\b51efcb9377d2df51a9bd31bfdb540a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8493689.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8493689.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe
    3⤵
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe
        5⤵
        
        PID:852
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7309751.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7309751.exe
        5⤵
        
        PID:1176

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7309751.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7309751.exe
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe
  2⤵
  PID:852
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7309751.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7309751.exe
  2⤵
  PID:1176

C:\Users\Admin\AppData\Local\Temp\b51efcb9377d2df51a9bd31bfdb540a9.exe
"C:\Users\Admin\AppData\Local\Temp\b51efcb9377d2df51a9bd31bfdb540a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8493689.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8493689.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe
    3⤵
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe
        5⤵
        
        PID:852

C:\Users\Admin\AppData\Local\Temp\b51efcb9377d2df51a9bd31bfdb540a9.exe
"C:\Users\Admin\AppData\Local\Temp\b51efcb9377d2df51a9bd31bfdb540a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8493689.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8493689.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe
    3⤵
    PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe

Filesize
92KB

MD5
df9ed875d4393727a37c7c4f403c47ab

SHA1
f40a7a75b7eba5fd1709ba91b3f298b087d4dc57

SHA256
a3288c4c5c28e58a24620356b1b3f577c7b9d49b651f862da78e272a71a54431

SHA512
20a74028e0030eb5f2902e79d1541c3bae93963a36bad23e4b28eae568442c2a0471ba65773e3c5e9bb753b112b7a91594b219a9eaa9374245fcb0d3b95b371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe

Filesize
92KB

MD5
df9ed875d4393727a37c7c4f403c47ab

SHA1
f40a7a75b7eba5fd1709ba91b3f298b087d4dc57

SHA256
a3288c4c5c28e58a24620356b1b3f577c7b9d49b651f862da78e272a71a54431

SHA512
20a74028e0030eb5f2902e79d1541c3bae93963a36bad23e4b28eae568442c2a0471ba65773e3c5e9bb753b112b7a91594b219a9eaa9374245fcb0d3b95b371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8421326.exe

Filesize
92KB

MD5
df9ed875d4393727a37c7c4f403c47ab

SHA1
f40a7a75b7eba5fd1709ba91b3f298b087d4dc57

SHA256
a3288c4c5c28e58a24620356b1b3f577c7b9d49b651f862da78e272a71a54431

SHA512
20a74028e0030eb5f2902e79d1541c3bae93963a36bad23e4b28eae568442c2a0471ba65773e3c5e9bb753b112b7a91594b219a9eaa9374245fcb0d3b95b371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe

Filesize
201KB

MD5
591dca1a2fa6d684227a1b962c1c8233

SHA1
a716b9a9d972c6b2ba3a9e127c4bcde0a92d9412

SHA256
c5a30e522aa83213bc74654ac6855e88db9d862ba078563f7f815e01903173d7

SHA512
87da7cf96f098f0a45bb77944ae73fd0261502cf9fb0f1f9cd745f96ed3fab972c9efb0b861eca86326b095c6fac670d0e75dc3a62f32c850e7ad434e2f689c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe

Filesize
201KB

MD5
591dca1a2fa6d684227a1b962c1c8233

SHA1
a716b9a9d972c6b2ba3a9e127c4bcde0a92d9412

SHA256
c5a30e522aa83213bc74654ac6855e88db9d862ba078563f7f815e01903173d7

SHA512
87da7cf96f098f0a45bb77944ae73fd0261502cf9fb0f1f9cd745f96ed3fab972c9efb0b861eca86326b095c6fac670d0e75dc3a62f32c850e7ad434e2f689c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4602877.exe

Filesize
201KB

MD5
591dca1a2fa6d684227a1b962c1c8233

SHA1
a716b9a9d972c6b2ba3a9e127c4bcde0a92d9412

SHA256
c5a30e522aa83213bc74654ac6855e88db9d862ba078563f7f815e01903173d7

SHA512
87da7cf96f098f0a45bb77944ae73fd0261502cf9fb0f1f9cd745f96ed3fab972c9efb0b861eca86326b095c6fac670d0e75dc3a62f32c850e7ad434e2f689c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8176293.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/852-176-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/852-176-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/852-176-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/1176-167-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/1176-167-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/1176-167-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/2296-133-0x0000000000610000-0x00000000006C7000-memory.dmp

Filesize
732KB

Download
memory/2296-133-0x0000000000610000-0x00000000006C7000-memory.dmp

Filesize
732KB

Download
memory/2296-133-0x0000000000610000-0x00000000006C7000-memory.dmp

Filesize
732KB

Download